10-22-2012 09:28 AM - edited 03-10-2019 07:42 PM
I have ISE up and running authenticating properly. But right now it will authenticate and allow ANY account in Active Directory. I want to allow access to only users in a specific group in Active Directory. I have added the group under Administration>Identity Management>External Identity Sources>Active Directory>Groups. But, I have not been able to find a way to link membership in that group to the Authentication Policy rules.
Solved! Go to Solution.
10-22-2012 01:31 PM
Under your Authorization policy, when you add the condition, choose the advanced option, there you should see an option for AD (select that) then the ExternalGroup option should appear. Set that attribute option equal to the AD group you are after.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-22-2012 01:51 PM
Chris,
I dont know where you are with the screenshot but follow this path:Policy > Authorization > (on the rule you want to limit AD group access) Select Attribute > Create New attribute (Advanced) the AD option should appear there. Currently the box i am using isnt joined to AD so I can't show you how it looks.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-22-2012 09:38 AM
Hi,
You will have to add the group in you AD settings.
Then you can map that group in you authorization profile.
Thanks
Sent from Cisco Technical Support Android App
10-22-2012 11:13 AM
Yes, I understand that. I have added the group in AD settings.
What I need to know is HOW do I map that group to the auth profile?
10-22-2012 01:31 PM
Under your Authorization policy, when you add the condition, choose the advanced option, there you should see an option for AD (select that) then the ExternalGroup option should appear. Set that attribute option equal to the AD group you are after.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-22-2012 01:46 PM
Thanks for the reply.
I'm not getting AD as an option (see below). Any idea why that might be?
10-22-2012 01:51 PM
Chris,
I dont know where you are with the screenshot but follow this path:Policy > Authorization > (on the rule you want to limit AD group access) Select Attribute > Create New attribute (Advanced) the AD option should appear there. Currently the box i am using isnt joined to AD so I can't show you how it looks.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-22-2012 02:26 PM
Thank you very much. That was the step I was missing. It works the way I want it to now.
10-22-2012 02:15 PM
Disregard above. I was looking in Authentication not Authorization rules.
05-22-2013 02:37 AM
Kindly review the below link:
https://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide