Solved: ISE 2.3 AD Groups Not shown in Policy Sets.

fquiroga · ‎11-21-2017

Hi community,

First of all, thanks to all for read this kind of newbie question.

I have one ISE 2.3 in my lab, and i'm making the configurations in a enviroment that doesnt have impact to production, before installing definitivly.

I've read the documentation (https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01110.html#reference_8DC463597A644A5C9CF5D582B77BB24F)

I'm having a problem, making the policy sets, where i cant find the groups of AD, already configured in external identities sources previously, to adding as a condition for autentication.

I cant use them sucessfully, and make conditions in Policy Elements to make new Conditions nor in the Policy Sets:

I've Already joined to AD succesfully, the diagnostic tools shows all test passed, but cant find the condition to making the new Policy.

My infrastructure has the follow:

1- AD/DC, already joined to ISE.

2- vWLC 8.2.15 Version

3- Cisco ISE 2.3 3515 Hardware.

I'm Missing something ? (sure, but what could be ?)

Regards

davidgranathkarlsson · ‎11-23-2017

Hello

I don't really see the issue here. From your top screenshot you are able to select your AD-join-point as an attribute and then you are able to select the "Domain admins" group. If you want to able to browse that condition or set of conditions you need to hit save in order to make it a part of the library. Once it has been saved as a library condition you should be able to select it when creating an auth/authZ rules. Or you could just select the attribute directly when creating a rule (no need to save as a library condition)

View solution in original post

davidgranathkarlsson · ‎11-23-2017

Hello

I don't really see the issue here. From your top screenshot you are able to select your AD-join-point as an attribute and then you are able to select the "Domain admins" group. If you want to able to browse that condition or set of conditions you need to hit save in order to make it a part of the library. Once it has been saved as a library condition you should be able to select it when creating an auth/authZ rules. Or you could just select the attribute directly when creating a rule (no need to save as a library condition)

fquiroga · ‎11-24-2017

Hello,

Thanks davidgranathkarlsson, you point me into the right direction, my error was triying to put the AD groups as a first condition in Policy Set (Access), but works great pointing them into Auth/AuthZ.

I hope, my newbie question could help to another newbies, since the policy set change dramatically since the new release of ISE.

Regards.

davidgranathkarlsson · ‎11-24-2017

Good to hear it worked out well for you.

Yeah, it's not unlikely many people will run into similar issues when moving to 2.3 considering GUI-changes, enforcement of policy set usage and aswell the "bug" explained at the top of known issues in 2.3, which has been causing some confusion (https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/release_notes/ise23_rn.html#pgfId-807015).

"Conditions Studio Editor After Upgrade to ISE 2.3

When you create conditions using the Conditions Studio editor after upgrade, you can click the Attribute Value drop-down list or click the icon next to the Attribute Value text box to choose the required attribute. If the Attribute Value drop-down list is not displayed, you must use the mouse or trackpad, scroll up to the top of the page, and click the Attribute Value text box."