03-12-2021 07:41 AM - edited 03-12-2021 11:02 AM
Hi Experts,
We've ISE 2.6 patch 8 and started upgrading the CM from 3.6 to 4.3 on a phased approach by adding a specific CPP policy at the top with the AD groups as other condition. If user is part of the AD group, they'll be provisioned with 4.3, all other users will continue via 3.6 access (fallback).
Now, we're planning to add the groups into the AD group which is used in the CPP configuration to accomplish the phased approach. Now, my query is on the Nested groups. Please assist.
Main Group: CM4.3_VPN_group
Nested group: Sales, Finance, IT, HR, Marketing
1.If ISE can query the nested AD groups?
2.And if yes, what’s the maximum hierarchy level that it can look into?
3. Should the Nested groups (Sales, Finance, IT, HR, Marketing) be added into the External Identity Sources -> AD Group Name -> Groups
Note: Currently, only the main group is added under the External Identity Sources
Solved! Go to Solution.
03-12-2021 08:38 AM
1.If ISE can query the nested AD groups?
-Yes. They will need to be added in ISE if you wish to target those groups as a condition in policies.
2.And if yes, what’s the maximum hierarchy level that it can look into?
-Good question. Honestly not sure if there is one.
3. Should the Nested groups (Sales, Finance, IT, HR, Marketing) be added into the External Identity Sources -> AD Group Name -> Groups
-Depends if you wish to target the exact group. Otherwise all ISE needs is the top level group to reference.
HTH!
03-12-2021 08:38 AM
1.If ISE can query the nested AD groups?
-Yes. They will need to be added in ISE if you wish to target those groups as a condition in policies.
2.And if yes, what’s the maximum hierarchy level that it can look into?
-Good question. Honestly not sure if there is one.
3. Should the Nested groups (Sales, Finance, IT, HR, Marketing) be added into the External Identity Sources -> AD Group Name -> Groups
-Depends if you wish to target the exact group. Otherwise all ISE needs is the top level group to reference.
HTH!
03-12-2021 09:01 AM
Thanks for the reply. From the above reply, I assume (nested groups not required to be added under External Identity Sources -> AD Group Name -> Groups) and adding only the Main Group would suffice the CPP/Authorization policy to achieve the phased approach to work.
Please confirm?
03-12-2021 09:38 AM
From the above reply, I assume (nested groups not required to be added under External Identity Sources -> AD Group Name -> Groups) and adding only the Main Group would suffice the CPP/Authorization policy to achieve the phased approach to work.
-Yes. That is correct.
03-12-2021 11:00 AM
Thanks @Mike.Cifelli You've been so helpful.
Final one, I've google it but not getting much info. Any idea on how to push the Compliance Module via SCCM..?
03-12-2021 11:54 AM
No problem happy to help. Not really an SCCM guy so not much help there. However, you do have the ability to rely on ISE CPP to upgrade the compliance module. I assume you already are aware of that. Good luck!
03-15-2021 08:39 AM - edited 03-15-2021 08:40 AM
Hi again @Mike.Cifelli
Can you please confirm if it’s resource intensive on ISE if we push the compliance module for all users in a single shot via CPP?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide