Hi,

Here's the screenshots.

One of them is the authorization policy. Some of them are duplicates and disable because i'm testing..but i want to mention that rule #3 is working and rule #4 is not working. This is where my problem is, rule

#4 include the external group criteria. If i create the same rule #4 but use PEAP rather than a

certificate for authentication it will work.

I'm using ISE 1.1.2

thanks

I am a little bit confused with your authorization rules: I don't see any references to to any AD external groups. The differences that I see between your authorization rules 3 & 4 are:

1. Rule 3 is disabled and 4 is not

2. Rule 4 is referencing a custom conditional called "SGAccess-IT-Firewall" What exactly is that rule? Details about it?

Also, can you provide some additional info:

1. Can you post a screen shot of the detailed failed authentication ? I want to look at the whole screen with all of the attributes and rules that were matched

2. Provide a screen shot from a successful authenticaiton sessoin from another user

3. Confirm that the affected user has a digital user certificate that was signed from your PKI (Start > MMC > add snap-in > certificates > personal user certs)

4. Screen shot from your authenticaiton profile and identity sequence that you are using with your authentication rules

If PEAP is working that means that ISE is able to successfully query AD so the issue is most likely with something else

Hi,

The "SGAccess-IT-Firewall" you see in the rule is basically a condition that match the external group i want. This is a predefined condition that's why you see the name of my condition rather than the detail of the condition.

Like i was saying in my previous message, i have multiple rule for testing. Rule #3 and #4 are the rules i'm testing with.

Rule #3 is working because there is no condition to match the external group. Rule #4 is the one i would like to implement but it is not working. So for now i'm switching between both rules for testing.

When it fails, it match the last rule that is a deny access (default rule)

I can't provide a successful authentication from another user because it is never working when i enable rule #4 and use a certificate for authentication. What i was saying, was it is working when i use PEAP for authentication. The difference

i found in the detail authentication reseult is the "other attributes" available. I included a screenshot in my first post.

So far i'm still searching..I can do the same thing in my lab on a test domain and test ISE server and it's working good..

Hi,

I just want to give an update on this discussion. I have found why i was not able to match any external groups and

why the attributes were not showing in the detailed logs.

The issue was with the certificate. When ISE is requesting the information on the AD for the authentication, ISE

uses the CN has the username contained in the certificate for any request. So in my case the CN in the certificate was Robertson, Stephane. ISE is taking this information to search in AD...The right name to search with is the "username"

in AD (in my case robertsons). So as soon as i created a certificate with "robertsons" as the CN it worked.

Thanks for your help!