11-20-2012 08:03 AM - edited 03-10-2019 07:48 PM
Hi,
I am trying to get ISE to check if a computer is in a specific Active Directory group and then authorize based on that information.
I have connected ISE to Active Directory and successfully added the group domain.com/Users/Domain Computers and then under Authorization I have added the policy IF Any AND domain.com:ExternalGroups EQUALS domain.com/Users/Domain Computers Then PermitAccess.
It is the first rule in the list.
But this doesn't seem to work. The computer goes to the last Default rule. Did I forget to do something?
Regards,
Philip
Solved! Go to Solution.
03-01-2013 08:41 AM
That is very interesting. Thank you for sharing (+5 from me). I am by no mean a VPN expert so it will be interesting to lab this out and see how it works out. Have you had the chance to play with it?
03-01-2013 09:04 AM
No, Actually I havent tried this yet. Just share a result if you try this in lab. If I get a chance to test this, I will share a result with you. Thanks
03-19-2013 09:44 AM
From all that I have learned so far, the only way the ASA can talk to the ISE IPN is via RADIUS.and that takes a lot of options out of play for VPN users/machine authentications.
Ideally we would like to verify that both the user and the machine are members of the domain before we allow full access to our network. Better still would be certificate verification for any machines that are members of our domain.
At this time we have settled for a simple NAC agent read of a specific registry key that says the machine is a member of our domain. Primitive, yes, but does what we need for now.
Now my challenge is contractor systems...we have about 30 of them....and I am afraid that to read a registry key for the exact machine name they give us upon signing our access agreement means that I have to create 30 different policies to make it read the registry key over and over as it goes through each policy.
Is there some way to make a list in a policy, so that instead of 30 different policies, I have one policy that reads through a list of possible texts that would be acceptable?
Dirk
05-22-2013 03:38 AM
Kindly review the below link:
https://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
06-19-2024 12:30 AM
did you ever get this to work? thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide