Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
838
Views
0
Helpful
4
Replies

ISE Compound Condition Problem

acontes
Level 1
Level 1

‎12-08-2015 05:00 AM - edited ‎03-10-2019 11:18 PM

Hi, I know it is possible to configure, because I have it in the production environment, but in my lab I have a problem with a compound condition:

I try to configure an authorization compound condition. I have wireless users in the local identity store and in an external ldap store. To authorize both groups, I want to create a compound condition like:

LDAP01:ExternalGroups EQUAL CN=WLAN-Access1,O=WLAN or

LDAP01:ExternalGroups EQUAL CN=WLAN-Access2,O=WLAN

and so on. So far so good. I can select the LDAP groups. But when I try to add the local store I am not able to select the internal identity group. I add an attribute:

IdentityGroup:Name EQUAL ....

I cklick on the "down arrow" to select the correct internal group, but everything I am able to select is "IdentityGroup:Name" and not the real name of the group. So the result is:

IdentityGroup:Name EQUAL IdentityGroup:Name

This makes no sense to me. Also I am not able to search for the group.

Any hints on that?

Labels:
0 Helpful
4 Replies 4

jan.nielsen
Level 7
Level 7

‎12-08-2015 02:57 PM

Internal User Groups in ISE are configured with the box to the left if the condition list, so you won't be able to combine internal and ldap groups in one rule.
0 Helpful

acontes
Level 1
Level 1
In response to jan.nielsen

‎12-08-2015 09:25 PM

I dont get it. Maybe its unclear what I mean. Here is a screenshot.

802.1x-VIP is an internal user group with internal users. CN=WLAN-Access... are external LDAP groups.

My problem is, that in my Lab, I am not able to configure this internal group as a condition. I just cannot select an internal group. The question is: Why.

0 Helpful

M. Wisely
Level 4
Level 4
In response to acontes

‎12-09-2015 03:58 AM

I think you'd need to create a separate policy rule with the same policy but instead of the compound condition, just select the identity group you want from the dropdown list (see green area in attached screenshot).

This way you've got one rule for your LDAP groups and one for you identity group.

Preview file
3 KB
0 Helpful

acontes
Level 1
Level 1
In response to M. Wisely

‎12-09-2015 10:45 PM

Maybe thats a solution, yes. But there is still the main question: Why can't I add a local identity group to the compound condition?!

ISE 1.2.1 Patch 7

0 Helpful
Customers Also Viewed These Support Documents