Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8947
Views
10
Helpful
19
Replies

ISE: Auth computer based on AD group

Go to solution
Philip Vilhelmsson
Level 1
Level 1

‎11-20-2012 08:03 AM - edited ‎03-10-2019 07:48 PM

Hi,

I am trying to get ISE to check if a computer is in a specific Active Directory group and then authorize based on that information.

I have connected ISE to Active Directory and successfully added the group domain.com/Users/Domain Computers and then under Authorization I have added the policy IF Any AND domain.com:ExternalGroups EQUALS domain.com/Users/Domain Computers Then PermitAccess.

It is the first rule in the list.

But this doesn't seem to work. The computer goes to the last Default rule. Did I forget to do something?

Regards,

Philip

1 person had this problem
Labels:
0 Helpful
19 Replies 19

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to shekharmore003

‎03-01-2013 08:41 AM

That is very interesting. Thank you for sharing (+5 from me). I am by no mean a VPN expert so it will be interesting to lab this out and see how it works out. Have you had the chance to play with it?

0 Helpful

Go to solution
shekharmore003
Level 1
Level 1
In response to nspasov

‎03-01-2013 09:04 AM

No, Actually I havent tried this yet. Just share a result if you try this in lab. If I get a chance to test this, I will share a result with you. Thanks

0 Helpful

Go to solution
dirkmelvin
Level 1
Level 1
In response to shekharmore003

‎03-19-2013 09:44 AM

From all that I have learned so far, the only way the ASA can talk to the ISE IPN is via RADIUS.and that takes a lot of options out of play for VPN users/machine authentications.

Ideally we would like to verify that both the user and the machine are members of the domain before we allow full access to our network. Better still would be certificate verification for any machines that are members of our domain.

At this time we have settled for a simple NAC agent read of a specific registry key that says the machine is a member of our domain. Primitive, yes, but does what we need for now.

Now my challenge is contractor systems...we have about 30 of them....and I am afraid that to read a registry key for the exact machine name they give us upon signing our access agreement means that I have to create 30 different policies to make it read the registry key over and over as it goes through each policy.

Is there some way to make a list in a policy, so that instead of 30 different policies, I have one policy that reads through a list of possible texts that would be acceptable?

Dirk

0 Helpful

Go to solution
siryonz
Level 1
Level 1

‎06-19-2024 12:30 AM

did you ever get this to work? thanks

 

0 Helpful
Customers Also Viewed These Support Documents