Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
683
Views
0
Helpful
2
Replies

Checking multiple domains in ISE authorization policy.

bberry
Level 1
Level 1

‎10-27-2015 02:04 PM - edited ‎03-10-2019 11:11 PM

Hello all,

 

I have a question about an implementation that uses two different AD domains. I have policies written that use one or the other domain but how do I create a policy that uses "or" to check both policies? The plicies unique to each domain are working fine but I have traveling users that now cross domains. I need the applicable policy for where they are regardless of which domain their username is in without doubling or tripling the number of policies.

 

Lets say I have the following policy...

     if CorporateAssets and (wired 802.1x and AD1:ExternalGroup equals domain1/Users/Domain Users) then Wired_Corp_AD

Works great not a problem. Easy and simple BUT

How can I modify this policy to become the following...

     if CorporateAssets and (wired 802.1x and AD1:ExternalGroup equals domain1/Users/Domain Users OR AD2:ExternalGroup equals domain2/Users/Domain Users) then Wired_Corp_AD

 

I can get a drop down box to change the first "and" operator to an or and it changes both but I cannot figure out how to group things and be able to change things to be able to have the user in either AD user/domain user groups. I figure this is just a selection / syntax something that I am missing. I figure there has to be a way to do this rather than have way too many rules to create and modify.

 

Brent

Labels:
0 Helpful
2 Replies 2

Henrik Grankvist
Level 4
Level 4

‎10-27-2015 02:28 PM

Hi

You should watch these two videos:

http://www.labminutes.com/sec0184_ise_13_multi_domain_ad_integration_1

http://www.labminutes.com/sec0184_ise_13_multi_domain_ad_integration_2

0 Helpful

alberx
Level 1
Level 1

‎11-19-2015 02:57 AM

Hi,

you could create a compound condition under "Policy elements --> Conditions --> Authorization" adding as attributes the groups of your ADs with the OR condition.

AD1:ExternalGroup equals domain1/Users/Domain Users OR AD2:ExternalGroup equals domain2/Users/Domain Users)

In the Authorization rule use the "wired_802.1x" AND "<your new compound condition>".

Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents