Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12467
Views
21
Helpful
8
Replies

How do I authenticate users in a specific AD group with Cisco ISE

Go to solution
Christopher Stuewe
Level 1
Level 1

‎10-22-2012 09:28 AM - edited ‎03-10-2019 07:42 PM

I have ISE up and running authenticating properly.  But right now it will authenticate and allow ANY account in Active Directory.  I want to allow access to only users in a specific group in Active Directory.  I have added the group under Administration>Identity Management>External Identity Sources>Active Directory>Groups.  But, I have not been able to find a way to link membership in that group to the Authentication Policy rules.

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Christopher Stuewe

‎10-22-2012 01:31 PM

Under your Authorization policy, when you add the condition, choose the advanced option, there you should see an option for AD (select that) then the ExternalGroup option should appear. Set that attribute option equal to the AD group you are after.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Christopher Stuewe

‎10-22-2012 01:51 PM

Chris,

I dont know where you are with the screenshot but follow this path:Policy > Authorization > (on the rule you want to limit AD group access) Select Attribute > Create New attribute (Advanced) the AD option should appear there. Currently the box i am using isnt joined to AD so I can't show you how it looks.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

8 Replies 8

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎10-22-2012 09:38 AM

Hi,

You will have to add the group in you AD settings.

Then you can map that group in you authorization profile.

Thanks


Sent from Cisco Technical Support Android App

Go to solution
Christopher Stuewe
Level 1
Level 1
In response to Tarik Admani

‎10-22-2012 11:13 AM

Yes, I understand that.  I have added the group in AD settings. 

What I need to know is HOW do I map that group to the auth profile?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Christopher Stuewe

‎10-22-2012 01:31 PM

Under your Authorization policy, when you add the condition, choose the advanced option, there you should see an option for AD (select that) then the ExternalGroup option should appear. Set that attribute option equal to the AD group you are after.

Thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
Christopher Stuewe
Level 1
Level 1
In response to Tarik Admani

‎10-22-2012 01:46 PM

Thanks for the reply.

I'm not getting AD as an option (see below).  Any idea why that might be?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Christopher Stuewe

‎10-22-2012 01:51 PM

Chris,

I dont know where you are with the screenshot but follow this path:Policy > Authorization > (on the rule you want to limit AD group access) Select Attribute > Create New attribute (Advanced) the AD option should appear there. Currently the box i am using isnt joined to AD so I can't show you how it looks.

Thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
Christopher Stuewe
Level 1
Level 1
In response to Tarik Admani

‎10-22-2012 02:26 PM

Thank you very much.  That was the step I was missing.  It works the way I want it to now.

0 Helpful

Go to solution
Christopher Stuewe
Level 1
Level 1
In response to Christopher Stuewe

‎10-22-2012 02:15 PM

Disregard above.  I was looking in Authentication not Authorization rules. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents