07-09-2013 06:09 AM - edited 03-10-2019 08:37 PM
Hello,
I am running Cisco ISE 1.1.4.218 in a standalone environment.
I am trying to setup Compound Condition for Authorization.
I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.
I created 1 endpoint identity group and 2 children groups
- GroupParent
- ChildA
- ChildB
I put the MAC address of my machine in the group ChildA.
In my condition, I tried the following:
IdentityGroup:Name, Equals, ChildA
IdentityGroup:Name, Equals, GroupParent:ChildA
IdentityGroup:Name, Match, .*(ChildA).*
I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:
IdentityGroupName, Equals, GroupParent
IdentityGroupName, Match, .*(GroupParent).*
But no one of these options worked.
I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.
Can anyone help me ?
Best regards,
David
Solved! Go to Solution.
07-10-2013 09:06 AM
using internal identity group match may not work...
If you want to do this, can you try to choose it directly from the first part of authz rule( to choose identity) instead od using a match condition?
Sent from Cisco Technical Support iPad App
07-09-2013 06:34 PM
You could try the following to match only the parent group
IdentityGroup:Name EQUALS GroupParent
You could try the following to match only child group A
IdentityGroup:Name EQUALS GroupParent#ChildA
You could try the following to match all child groups of GroupParent
IdentityGroup:Name STARTS_WITH GroupParent
Please rate if this helps
07-09-2013 11:08 PM
Follow configuring endpoints from below link
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html
07-10-2013 02:08 AM
Hello,
I tried all solutions mentioned above, no one works.
I repeat that I am almost sure that it worked in ISE 1.1.1 but it does not work in 1.1.4.
Many thanks for your help.
David
11-07-2013 03:10 PM
Is it possible to create a parent group within Endpoint Identity Groups?
07-10-2013 09:06 AM
using internal identity group match may not work...
If you want to do this, can you try to choose it directly from the first part of authz rule( to choose identity) instead od using a match condition?
Sent from Cisco Technical Support iPad App
07-16-2013 01:24 AM
Many thanks Shaoqin, this helped me to make it work !
11-07-2017 11:19 AM
I've tried "IdentityGroup:Name" a bunch of ways and it doesn't work... Seems to only work when you use the Identity Group as "IF" for the first option in the rule.
I'm mostly just confirming what Shaoqin Li said above, I spent an hour trying a bunch of iterations with no luck.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide