cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

500
Views
0
Helpful
1
Replies
Highlighted
Beginner

Cisco ISE and AD group

Hi, I have a problem

I setup ISE join it to AD, get from AD group name, and add it to ISE as external identity group. Then I make simple authentification policy rule which says, if protocol RADIUS than use AD1 store.

After this I create authorization police rule, and it says that if external group from AD then permit access.

And now when I try to connect via ASA, using anyconnect client, my authentification log says that I choose default authorization rule. Seems like ISE does not check my username for external group membership.

Why it's happens ?

Thanks

1 REPLY 1
Highlighted
Advocate

Hi,

The issue is with your Authorization Policy, you have configured a internal identity group.

You need to change this and point to the your AD group, if you have retrieved the group from AD in the Groups settings under the AD settings, then you should be able to look for the condition but dropping down the "Attributes" Selecting AD ExternalGroups followed by your group.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Content for Community-Ad