Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1361
Views
1
Helpful
6
Replies

Cisco ISE : Authorization for nested groups

k2no
Level 1
Level 1

‎09-08-2023 05:33 AM

Hello everyone,

I write this post because I face an issue with the External Group coming from my active directory on authorization policies.

We have several nested groups under a kind of root group, such as :

   NETWORK_USER  > CISCO

   NETWORK_USER > OTHER_VENDOR

My goal is to use the nested group in order to build my AuthZ policies to select the group dedicated to the right technology to allow only technology "owner" to login into the switch.

Unfortunately, when ISE is retrieving groups from AD for a user who is trying to connect, it will only retrieve the root group (NETWORK_USER) and not the "Cisco" or "Other_Vendor" group.

Is it something possible to do ? Do you already faced this kind of issue ?

Thanks for your help !

0 Helpful
6 Replies 6

Arne Bier
VIP
VIP

‎09-10-2023 03:13 PM

Hello @k2no 

Have you tried testing the user's Group assignment, by doing a Test User in the External Identity Sources > AD ? You can perform a "Lookup" on a user without needing to know their password. ISE will tell you what AD Groups that user is a member of. There is no magic involved here, because it's an exact dump of the AD Group Membership of that user (ISE doesn't mess that up). If the user is a member of NETWORK_USER  > CISCO then ISE will tell you. 

I suspect that your AD structure is made up of OUs and not Security Groups. Those are two different things in AD.

Let's assume that you have and OU structure, then you can still perform this in ISE Authorization Policy. Take a look at this article that explains how to use the AD Attributes feature to perform OU matching.

0 Helpful

k2no
Level 1
Level 1
In response to Arne Bier

‎09-18-2023 12:59 AM

Hello Arne,

Thanks for your feedback.

Sorry, something I didn't explain very well we’re not using a proper AD Join we are using the LDAP join so I can’t really Test the user.

I can see on which group the user belongs when clicking on “details” on the authentication. And I can see that the nested group is not shown for the user in ExternalGroup under “Other Attributes”.

But if I try to retrieve them on Ex ID Source > LDAP > Groups I can retrieve the nested group without any issues.

For example two of my not working nested group are CN=Cisco,OU=RADIUS,OU=Groups,OU=mydomain,DC=mydomain,DC=com & CN=Other,OU=RADIUS,OU=Groups,OU= mydomain,DC= mydomain,DC=com.

0 Helpful

Arne Bier
VIP
VIP

‎09-18-2023 03:22 PM

Hello @k2no 

I find LDAP challenging at the best of times. I don't use it much, but each time I have to use a tool like LDAP Browser to remind me how things work. You can certainly test a user lookup in ISE under the LDAP Identity Source, then select the Attributes tab. Click "Add" and then choose "Select Attributes from Directory".  In the Example Subject field, you must put the exact Subject string to retrieve a single account. E.g. in my lab I used   CN=Arne Bier,CN=Users,DC=rnlab,DC=local   - then click Retrieve Attributes.

Ok. Where to start... I am using Windows Server 2016 Active Directory and I have bound to the AD using LDAP TCP/389.

I created some dummy OUs and a Group within that OU. I then also added a test user into the Group.

LDAP-AD.png

 

The ISE search base DNs I used are the top-level of the  domain rnlab.local. e.g. DC=rnlab,DC=local

I always modify the ISE LDAP schema, based on the default Active Directory schema, but instead of sUserPrincipalName, I use Subject Name Attribute = sAMAccountName.

Then I added two Groups - notice the DN structure

LDAP-groups.png

Policy AuthZ as follows

LDAP-AuthZ.png

The Live Logs Details shows the results 

LDAP-ubuntu-authz.png

 

 

 

 

0 Helpful

k2no
Level 1
Level 1

‎09-25-2023 03:21 AM

Hello @Arne Bier 

Thanks for your time over your lab.

That's not exactly the same issue i guess. Here you have a group in a specific OU and the user belongs to a specific group.

My goal is to have a user belonging to a specific group in which other groups are member of and retrieve them on ISE. For example :

I have my user 'myuser' who belongs to Network User group :

k2no_0-1695636652875.png

I also have "Cisco" and "Other" which are members of "Network_User" :

k2no_1-1695636784113.pngk2no_2-1695636820892.png

My goal is to say if myuser is a network_user, since other and cisco are members of network_user myuser will be implicitly member of Cisco and Other. With that i would like to permit all Network_Users to be part of Cisco and Other groups and also give me the possibility to add users from others group to be member of "Cisco" or "Other" group without being in Network User.

 

I don't know if it's more clear to you.

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎09-29-2023 04:33 PM

I have recreated your AD group structure:

- Network_User
  - Cisco
    - cisco_user
  - Other_Vendor
  - myuser

image.png

+Add the AD Groups to ISE:
image.png

Then go test the user as @Arne Bier suggested:
image.png

and I get:
image.pngimage.png

 

 

hslai
Cisco Employee
Cisco Employee

‎10-01-2023 05:38 PM

@k2no The LDAP ID sources in ISE do not support nested group membership lookups. Please create them as AD join points, instead.

0 Helpful
Customers Also Viewed These Support Documents