10-27-2015 02:04 PM - edited 03-10-2019 11:11 PM
Hello all,
I have a question about an implementation that uses two different AD domains. I have policies written that use one or the other domain but how do I create a policy that uses "or" to check both policies? The plicies unique to each domain are working fine but I have traveling users that now cross domains. I need the applicable policy for where they are regardless of which domain their username is in without doubling or tripling the number of policies.
Lets say I have the following policy...
if CorporateAssets and (wired 802.1x and AD1:ExternalGroup equals domain1/Users/Domain Users) then Wired_Corp_AD
Works great not a problem. Easy and simple BUT
How can I modify this policy to become the following...
if CorporateAssets and (wired 802.1x and AD1:ExternalGroup equals domain1/Users/Domain Users OR AD2:ExternalGroup equals domain2/Users/Domain Users) then Wired_Corp_AD
I can get a drop down box to change the first "and" operator to an or and it changes both but I cannot figure out how to group things and be able to change things to be able to have the user in either AD user/domain user groups. I figure this is just a selection / syntax something that I am missing. I figure there has to be a way to do this rather than have way too many rules to create and modify.
Brent
10-27-2015 02:28 PM
Hi
You should watch these two videos:
http://www.labminutes.com/sec0184_ise_13_multi_domain_ad_integration_1
http://www.labminutes.com/sec0184_ise_13_multi_domain_ad_integration_2
11-19-2015 02:57 AM
Hi,
you could create a compound condition under "Policy elements --> Conditions --> Authorization" adding as attributes the groups of your ADs with the OR condition.
AD1:ExternalGroup equals domain1/Users/Domain Users OR AD2:ExternalGroup equals domain2/Users/Domain Users)
In the Authorization rule use the "wired_802.1x" AND "<your new compound condition>".
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide