Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
0
Helpful
1
Replies

Cisco ISE and AD group

Krasnoperov
Level 1
Level 1

‎01-18-2013 07:46 AM - edited ‎03-10-2019 07:59 PM

Hi, I have a problem

I setup ISE join it to AD, get from AD group name, and add it to ISE as external identity group. Then I make simple authentification policy rule which says, if protocol RADIUS than use AD1 store.

After this I create authorization police rule, and it says that if external group from AD then permit access.

And now when I try to connect via ASA, using anyconnect client, my authentification log says that I choose default authorization rule. Seems like ISE does not check my username for external group membership.

Why it's happens ?

Thanks

1 person had this problem
Labels:
Preview file
414 KB
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎01-19-2013 11:03 PM

Hi,

The issue is with your Authorization Policy, you have configured a internal identity group.

You need to change this and point to the your AD group, if you have retrieved the group from AD in the Groups settings under the AD settings, then you should be able to look for the condition but dropping down the "Attributes" Selecting AD ExternalGroups followed by your group.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents