Solved: Re: AD Nested Groups Configuration

Srinivasan Nagarajan · ‎03-12-2021

Hi Experts,

We've ISE 2.6 patch 8 and started upgrading the CM from 3.6 to 4.3 on a phased approach by adding a specific CPP policy at the top with the AD groups as other condition. If user is part of the AD group, they'll be provisioned with 4.3, all other users will continue via 3.6 access (fallback).

Now, we're planning to add the groups into the AD group which is used in the CPP configuration to accomplish the phased approach. Now, my query is on the Nested groups. Please assist.

Main Group: CM4.3_VPN_group
Nested group: Sales, Finance, IT, HR, Marketing

1.If ISE can query the nested AD groups?
2.And if yes, what’s the maximum hierarchy level that it can look into?
3. Should the Nested groups (Sales, Finance, IT, HR, Marketing) be added into the External Identity Sources -> AD Group Name -> Groups

Note: Currently, only the main group is added under the External Identity Sources

Mike.Cifelli · ‎03-12-2021

1.If ISE can query the nested AD groups?

-Yes. They will need to be added in ISE if you wish to target those groups as a condition in policies.
2.And if yes, what’s the maximum hierarchy level that it can look into?

-Good question. Honestly not sure if there is one.
3. Should the Nested groups (Sales, Finance, IT, HR, Marketing) be added into the External Identity Sources -> AD Group Name -> Groups

-Depends if you wish to target the exact group. Otherwise all ISE needs is the top level group to reference.

HTH!

View solution in original post

Mike.Cifelli · ‎03-12-2021

1.If ISE can query the nested AD groups?

-Yes. They will need to be added in ISE if you wish to target those groups as a condition in policies.
2.And if yes, what’s the maximum hierarchy level that it can look into?

-Good question. Honestly not sure if there is one.
3. Should the Nested groups (Sales, Finance, IT, HR, Marketing) be added into the External Identity Sources -> AD Group Name -> Groups

-Depends if you wish to target the exact group. Otherwise all ISE needs is the top level group to reference.

HTH!

Srinivasan Nagarajan · ‎03-12-2021

@Mike.Cifelli

Thanks for the reply. From the above reply, I assume (nested groups not required to be added under External Identity Sources -> AD Group Name -> Groups) and adding only the Main Group would suffice the CPP/Authorization policy to achieve the phased approach to work.

Please confirm?

Mike.Cifelli · ‎03-12-2021

From the above reply, I assume (nested groups not required to be added under External Identity Sources -> AD Group Name -> Groups) and adding only the Main Group would suffice the CPP/Authorization policy to achieve the phased approach to work.

-Yes. That is correct.

Srinivasan Nagarajan · ‎03-12-2021

Thanks @Mike.Cifelli You've been so helpful.

Final one, I've google it but not getting much info. Any idea on how to push the Compliance Module via SCCM..?

Mike.Cifelli · ‎03-12-2021

No problem happy to help. Not really an SCCM guy so not much help there. However, you do have the ability to rely on ISE CPP to upgrade the compliance module. I assume you already are aware of that. Good luck!

Srinivasan Nagarajan · ‎03-15-2021

Hi again @Mike.Cifelli

Can you please confirm if it’s resource intensive on ISE if we push the compliance module for all users in a single shot via CPP?

AD Nested Groups Configuration for CPP policy