Block username of AD in ISE

Sebastian Albert · ‎10-27-2021

Hello everyone, I have a query, I need to know if it is possible to block an AD user from accessing some devices but continue accessing all the others. The user is in an AD group that we could not remove it because it should continue accessing the other devices

Do you know if there is a way?

Thanks

Best regards.

ilay · ‎10-27-2021

You can create one or more authorization policies to achieve it
1. Organize the prohibited device information, such as location information, device type, etc.

2. Create a new authorization policy, for example: prohibit ilay from accessing devices with Location=Beijing. Then set 'Location=Beijing', 'User-Name=ilay' in the conditions, select 'DenyAccess' in the results, and save the authorization policy after the setting is complete. (Other conditions can also be used, such as device IP address, etc.) // If the devices are not grouped, you may need to create a rule for each device

3. Verify the configuration, try to login to verify whether the policy is effective

as shown above, user ilay was deny by rule .

ilay

HTH.

Sebastian Albert · ‎10-28-2021

Thank ilay for your help, i have a question more we can use the same device in differents groups ?

Best regards

ilay · ‎10-28-2021

This may not work.
You can try a layered design, like this:

--------------------------

|-All Location

| -- Beijing

| -- Haidian

| -- Site A

| --- etc...

| -- Site B

| -- Chaoyang

| -- Shanghai

| -- Changning

| -- Huangpu

--------------------------

Group devices into sub-group. If necessary, you can use the upper-level GroupName for policy setting