Re: ISE 2.4 RBAC policies for AD users

kareali@cisco.com · ‎02-21-2019

Hi,
the customer is asking for assigning different RBAC policies for different AD users but those users are member of the same AD group !!

i have created 2 admin groups (external) and both groups has one user member like below

user: bzahran , admin group name: CNOC, type: external, ِAD group: CNOC_L2
user: abozaidan, admin group name: Network device admins, type: external, AD group: CNOC_L2

then i created 2 policies with different menu access and data access but i doesn't work both users always got the same view !!!

the question is the above scenario possible or should each user be a member of a unique AD group and other users shouldn't be member of this group at all ? i tested this scenario in my lap and worked fine !!!

Damien Miller · ‎02-21-2019

Well I can say that this works fine when two different AD groups are used. I would imagine that in your scenario that the users are hitting first match on login similar to how an ACL works. Either way it appears you have some odd behavior so the ideal solution here is to use two AD groups, and map those two groups to the two roles you have in ISE. This would be the recommended approach to RBAC.

The alternative would be shadow accounts, but the last time I tried that I ran in to a limitation. I'm not sure if this was ever fixed in in 2.2 or 2.4. I would have to try it again. Maybe another here knows if this also impacts 2.2-2.4.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb64350/

Last option, use local accounts with local password on ISE, I'd rather use AD groups.