06-15-2019 06:57 AM
We have a AD domain added to ISE with two sub-organizations, say orgA and orgB - these are the two OU's. We want to use ISE to match computer objects from only a single OU (orgB). So for example we have Domain Computers AD group, but the objects in this group are either in orgA or orgB, and we only want to match ones from orgB. Would my authorization policy condition be something like this:
if:
AD1:DistinguishedName MATCHES .*(ou=orgB).* AND
AD1:ExternalGroups EQUALS AD1/Users/Domain Computers
then: PermitAccess
Basically orgA objects should not be authorized by ISE, only orgB. There was another discussion here saying "not recommended to use OU, which is not indexed, so would result in poorer performance" Is there an alternative way to make this work without performance hit? How bad would the poorer performance be?
Solved! Go to Solution.
06-15-2019 06:45 PM
06-15-2019 06:45 PM
06-16-2019 05:48 PM
Hi Francesco thanks for the reply. Just to clarify its actually just one domain and the different orgs sit under their own OU. So whitelist domain wont help.
If I understand correctly we can use OU distinguished name attribute IF this attribute has been indexed on AD side? Once indexed it won't cause any performance issue on ISE correct?
06-16-2019 07:03 PM
06-17-2019 05:55 AM
Using "Domain Computers" isn't something I'd do if you're using simple OUs to separate resources on the domain. You should probably be using specific AD security groups for each sub-org. That will make policy configuration simple.
06-21-2019 08:42 AM
Okay but if I had to do it this way. Is the matching statement for distinguished name correct that I have here?
AD1:DistinguishedName MATCHES .*(ou=orgB).*
06-22-2019 05:07 AM
I've not tested it, but yes it looks like the Regex would work with a minor tweak. You'll need to be case-sensitive with the expression, so:
.*(OU=orgB).*
You'd might want tighten up the Regex though to ensure it matches the exact OU and that it can't be abused via other OUs being created in AD. If you look at what a current user/computer's DN looks like via ISE's AD Attributes page you can pull the rest of the string to put in the Regex. In my lab it's:
CN=labuser,OU=Lab,DC=lab,DC=local
So my Regex would be:
(CN=).*(OU=Lab,DC=lab,DC=local)$
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide