Cisco ISE auth policy based on Active Directory domain membershi

pattondavis · ‎11-28-2012

I am currently testing the Cisco ISE product and I am trying to find a way to assign an authorization policy based on domain membership. Our company sorts standard users and project team member into different domains so it seemed like the ideal thing to sort with. Unfortunately, I am no AD expert and there are a mind boggling number of conditions/expressions to choose from. I figured I would be the first person to try this. What have other done to solve this problem?

I have tried using the memberOf attribute and matching to .*(domain).* Basically looking to see if memberOf contains the domain name. It works for machine authentication, but when I log it the system cannot find my account info for some reason and boots me to the guest vlan.

Thank you.

nspasov · ‎11-28-2012

Are the two sets of users actually residing on two separate and independent domains? If so then that is probably where your problem is as ISE can only integrate with a single domain. If you have multiple domains then there must be a trust relationship between them. Another solution is to use LDAP integrations as there is not a limit with LDAP integrations.

Thank you for rating!

pattondavis · ‎11-29-2012

Yes, they are in different domains. I have already added one of the domains as an LDAP store.

jw.sl9 · ‎12-04-2012

Same Forest?

I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.

Please rate post you consider useful.
-James

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

Cisco ISE auth policy based on Active Directory domain membership