Solved: Re: ISE authorization policies with only one AD group

drivera_ · ‎04-19-2019

Hello, everybody

I would like to ask you something. Is there any way for configuring authorization profiles on ISE with differents permissions by having only one AD group? We have a customer that only has an AD group and he wants users to be assigned on a VLAN by the ISE depending on the user role, I mean, users must be serapated by VLANs as a final authorization permission on Authorization profiles, so the customer wants every user has a VLAN depending on the user role. I don't know how to tell ISE to assign a VLAN depending on a role that is not defined on AD. I hope you guys have understood me.

Thank you in advance.

Karsten Iwen · ‎04-20-2019

You ISE need a differentiation in the context to separate the endpoints into different authorisation profiles. If the differentiation is not known anywhere in the ISE, then you can't do that. You have to tell your customer to put all employees into a corresponding windows-group or rethink the requirement.

View solution in original post

Karsten Iwen · ‎04-20-2019

You ISE need a differentiation in the context to separate the endpoints into different authorisation profiles. If the differentiation is not known anywhere in the ISE, then you can't do that. You have to tell your customer to put all employees into a corresponding windows-group or rethink the requirement.

drivera_ · ‎04-25-2019

Hi Karsten,

Thank you for your reply. I'm gonna tell our customer that it is necessary rethink the requirement.