08-19-2016 01:34 PM - edited 03-11-2019 12:00 AM
I am trying to create an Authorization Policy that will use the User Groups I have defined on ISE. I am unable to find the correct attribute in the conditional expression that will look at the ISE User Group. I have been able to make this work with an External Identity Source (AD), just not the internal user group. If you look in the picture, it is the first line I am trying to modify to verify against the ISE User Group that I created.
08-19-2016 01:58 PM
Internal ISE group condition only works by selecting it in the user group selection to the right of the condtions in your authorization rule,you cant use it as a "condition".
08-22-2016 08:06 AM
Thank you, I finally figured it out. Just different that AD groups are in the conditional expression, but the internal user groups are not.
08-23-2016 03:43 AM
Hi,
can you please explain how you did it?
i tried but getting authentication fail error in my mobile.
regards,
08-24-2016 06:21 AM
Yes. So like Jan said above, you can't use it in the compound condition, but you can use it on the authorization policy page. Let me show you.
Where the arrow is on the main authorization page, replace "Any" with the local identity group or user. Then on the policy compound condition, add two conditions, if you are setting up Radius: network access:authentication method equals PAP_ASCII and Radius:NAS-Port-Type Vitual.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide