ISE Authorization Compound Condition with Local User Groups

roadracers · ‎08-19-2016

I am trying to create an Authorization Policy that will use the User Groups I have defined on ISE. I am unable to find the correct attribute in the conditional expression that will look at the ISE User Group. I have been able to make this work with an External Identity Source (AD), just not the internal user group. If you look in the picture, it is the first line I am trying to modify to verify against the ISE User Group that I created. Anyone help with this?

jan.nielsen · ‎08-19-2016

Internal ISE group condition only works by selecting it in the user group selection to the right of the condtions in your authorization rule,you cant use it as a "condition".

roadracers · ‎08-22-2016

Thank you, I finally figured it out. Just different that AD groups are in the conditional expression, but the internal user groups are not.

Shaik Moinuddin · ‎08-23-2016

Hi,

can you please explain how you did it?

i tried but getting authentication fail error in my mobile.

regards,

roadracers · ‎08-24-2016

Yes. So like Jan said above, you can't use it in the compound condition, but you can use it on the authorization policy page. Let me show you.

Where the arrow is on the main authorization page, replace "Any" with the local identity group or user. Then on the policy compound condition, add two conditions, if you are setting up Radius: network access:authentication method equals PAP_ASCII and Radius:NAS-Port-Type Vitual.