Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1033
Views
5
Helpful
4
Replies
Jason Weids
Beginner
Beginner
‎09-13-2019 04:22 AM
‎09-13-2019 04:22 AM

Cisco ISE 2.4 LDAP Authorization Not Working as Expected

I am having some issues with a policy authorizing staff & students against our external identity source LDAP.

 

We have added two LDAP identity sources one that looks at the ou for all staff, the other looks at the ou for all students.

staff_LDAP

Capture.JPG

student_LDAP

Capture1.JPG

 

The authorization policies look at the ExternalGroups staff_LDAP & student_LDAP 

Capture2.JPG

Can anyone explain why all our staff are matching the student policy & students are matching the staff policy?

0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Colby LeMaire
Collaborator
Collaborator
In response to Jason Weids
‎09-25-2019 08:26 AM
‎09-25-2019 08:26 AM

Now that I look closer at your authorization rules, you need to change how you are looking up groups.  In your LDAP identity source configuration, there is a Groups tab.  In there, hit the button to select groups from directory.  Grab the groups that you want to be available in your authorization rules.  Save that.

Now in your authorization rule, you would configure it similar to "myLDAP:ExternalGroups EQUALS StaffGroup" or whatever your group name is for Staff.  Then same for the Student rule.  You really don't need two different LDAP identity sources if it is the same server.  And for your search base DN's, just make sure it is high enough up in the hierarchy to catch for both types of users.  In other words, just move up one level for your search base DN's.  Whatever is the common part of the full distinguishedName between a staff user and student user.  Take a look at the screenshots below for examples:

ldap_groups.jpgldap_rules.jpg

View solution in original post

0 Helpful
4 REPLIES 4
howon
Cisco Employee
Cisco Employee
‎09-23-2019 04:57 AM
‎09-23-2019 04:57 AM

Typically the step data on the detailed live log will show some hints. There are other settings in play such as identity sequence, LDAP external groups, and policy conditions not shown that could affect the decision.

 

However, it looks to be same LDAP server for both staff and students, have you considered just creating on LDAP for both use cases?

0 Helpful
Colby LeMaire
Collaborator
Collaborator
‎09-23-2019 07:01 AM
‎09-23-2019 07:01 AM

Your "Group Search Base" is the same on both servers and your authorization policy rules are looking for group membership.  Your identity search base is unique but that would be for authenticating the user or looking for user-specific attributes.  Since you are looking for group membership, either will match with the same "Group Search Base".

Jason Weids
Beginner
Beginner
In response to Colby LeMaire
‎09-25-2019 05:06 AM
‎09-25-2019 05:06 AM

Thanks, that does kind of make sense, but how is it that ALL staff were matching the student profile & ALL students were matching the staff profile. If they could match either I would have expected them all to match the first policy.

0 Helpful
Colby LeMaire
Collaborator
Collaborator
In response to Jason Weids
‎09-25-2019 08:26 AM
‎09-25-2019 08:26 AM

Now that I look closer at your authorization rules, you need to change how you are looking up groups.  In your LDAP identity source configuration, there is a Groups tab.  In there, hit the button to select groups from directory.  Grab the groups that you want to be available in your authorization rules.  Save that.

Now in your authorization rule, you would configure it similar to "myLDAP:ExternalGroups EQUALS StaffGroup" or whatever your group name is for Staff.  Then same for the Student rule.  You really don't need two different LDAP identity sources if it is the same server.  And for your search base DN's, just make sure it is high enough up in the hierarchy to catch for both types of users.  In other words, just move up one level for your search base DN's.  Whatever is the common part of the full distinguishedName between a staff user and student user.  Take a look at the screenshots below for examples:

ldap_groups.jpgldap_rules.jpg

0 Helpful
Latest Contents
Earn $100! Interview with Cisco on Network Risk, Compliance ...
Created by S Nath on 06-27-2022 01:56 PM
0
0
0
0
Are you responsible for risk management, compliance management and auditing of a network?    If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ... view more
Converting Cisco Secure Endpoint Connectors from Audit to Pr...
Created by Sohaib Ahmed on 06-23-2022 05:19 PM
0
0
0
0
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari... view more
🧦💚 Tell us about your ZTNA journey in exchange for a pair ...
Created by betswang on 06-23-2022 03:05 PM
0
15
0
15
  Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ... view more
Cisco ASA Access-list ACL using network object
Created by Meddane on 06-23-2022 06:59 AM
0
0
0
0
  A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se... view more
How To: Cisco ISE Captive Portals with Aruba Wireless
Created by ahollifield on 06-22-2022 06:23 PM
3
10
3
10
How To: Cisco ISE Captive Portals with Aruba Wireless Authors: Adam Hollifield, Brad Johnson IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube