cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

113
Views
5
Helpful
2
Replies
Beginner

What to do if user matches multiple external groups in authorization policy

I'm in the process of setting up Active Directory access to Cisco Prime through ISE. I have an AD group that I'm using to allow access to Prime through one rule, and we also have a group used to allow network device access with another rule. Because of the way the authorization policy seems to work, as soon as it runs into one of these rules, it exits the authorization, which seems to mean that I can only have one or the other.

 

By this I mean that my user account is a member of both the Prime access group and Network Device access group, but because the Network Device rule is first in the list, I can't access Prime with my AD account. Conversely, if I move the Prime rule above the Network Device rule, then I can access Prime with my AD account but then that breaks my login to Network Devices.

 

Is there a way to use both of these authorization policy rules at once? It seems kind of odd that we could only use one or the other.

 

As a troubleshooting step, I combined the access of the TACACS profiles together into one to see if I could fix it that way, but it seems to break access to Network Devices still because of the custom rules used in the Prime TACACS profile.

 

Any help on this issue would be greatly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Rising star

Re: What to do if user matches multiple external groups in authorization policy

Add a condition to your Prime authorization policy to match the Network Access:Device IP Address or Network Device:NetworkDeviceName attribute matches how you have it defined as a NAD in ISE.

 

Your rule would be: IF AD Group = Prime Access AND Network Access:Attribute equals <value>

View solution in original post

2 REPLIES 2
Rising star

Re: What to do if user matches multiple external groups in authorization policy

Add a condition to your Prime authorization policy to match the Network Access:Device IP Address or Network Device:NetworkDeviceName attribute matches how you have it defined as a NAD in ISE.

 

Your rule would be: IF AD Group = Prime Access AND Network Access:Attribute equals <value>

View solution in original post

Beginner

Re: What to do if user matches multiple external groups in authorization policy

This seems to have done the trick, thank you for the help! I added an AND to the rule with device type equals: all device types. After adding this line, I seem to be able to log into both Prime and any of my network devices as well.

 

I am a bit confused on how exactly this worked, however. Would you be able to explain a bit more? It was my understanding that once ISE matches a rule, it stops the authorization process. Is that an incorrect assumption?