cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1048
Views
15
Helpful
6
Replies

AD Nested Groups Configuration for CPP policy

Hi Experts,

We've ISE 2.6 patch 8 and started upgrading the CM from 3.6 to 4.3 on a phased approach by adding a specific CPP policy at the top with the AD groups as other condition. If user is part of the AD group, they'll be provisioned with 4.3, all other users will continue via 3.6 access (fallback).

Now, we're planning to add the groups into the AD group which is used in the CPP configuration to accomplish the phased approach. Now, my query is on the Nested groups. Please assist.

Main Group: CM4.3_VPN_group
Nested group: Sales, Finance, IT, HR, Marketing

1.If ISE can query the nested AD groups?
2.And if yes, what’s the maximum hierarchy level that it can look into?
3. Should the Nested groups (Sales, Finance, IT, HR, Marketing) be added into the External Identity Sources -> AD Group Name -> Groups

Note: Currently, only the main group is added under the External Identity Sources

1 ACCEPTED SOLUTION

Accepted Solutions
Mike.Cifelli
VIP Advocate

1.If ISE can query the nested AD groups?

-Yes.  They will need to be added in ISE if you wish to target those groups as a condition in policies.
2.And if yes, what’s the maximum hierarchy level that it can look into?

-Good question.  Honestly not sure if there is one.
3. Should the Nested groups (Sales, Finance, IT, HR, Marketing) be added into the External Identity Sources -> AD Group Name -> Groups

-Depends if you wish to target the exact group.  Otherwise all ISE needs is the top level group to reference.

HTH!

View solution in original post

6 REPLIES 6
Mike.Cifelli
VIP Advocate

1.If ISE can query the nested AD groups?

-Yes.  They will need to be added in ISE if you wish to target those groups as a condition in policies.
2.And if yes, what’s the maximum hierarchy level that it can look into?

-Good question.  Honestly not sure if there is one.
3. Should the Nested groups (Sales, Finance, IT, HR, Marketing) be added into the External Identity Sources -> AD Group Name -> Groups

-Depends if you wish to target the exact group.  Otherwise all ISE needs is the top level group to reference.

HTH!

View solution in original post

@Mike.Cifelli 

 Thanks for the reply. From the above reply, I assume (nested groups not required to be added under External Identity Sources -> AD Group Name -> Groups) and adding only the Main Group would suffice the CPP/Authorization policy to achieve the phased approach to work.

Please confirm?

From the above reply, I assume (nested groups not required to be added under External Identity Sources -> AD Group Name -> Groups) and adding only the Main Group would suffice the CPP/Authorization policy to achieve the phased approach to work.

-Yes. That is correct.

Thanks @Mike.Cifelli You've been so helpful.

Final one, I've google it but not getting much info. Any idea on how to push the Compliance Module via SCCM..?

Mike.Cifelli
VIP Advocate

No problem happy to help.  Not really an SCCM guy so not much help there.  However, you do have the ability to rely on ISE CPP to upgrade the compliance module.  I assume you already are aware of that.  Good luck!

Hi again @Mike.Cifelli 

Can you please confirm if it’s resource intensive on ISE if we push the compliance module for all users in a single shot via CPP?

Content for Community-Ad