Solved: ISE deployment - AD Group

cnezakaren · ‎02-05-2020

Hi,

I am deploying ISE right now, I have just joined AD.

My purpose was to add my AD user as superadmin so I can log into ISE with full access without using default or internal account.

To do that, I had to add a group from Directory... but the group includes more users and I don't want all them to have the full access to ISE.

How can i get around that issue ? For information, my team doesn't manage AD, AD is monitored by another team..

Thank you for your help.

Arne Bier · ‎02-06-2020

When using an external User Group for ISE Admin login, you can only apply a "group" concept to the login authentication. It's purely membership based. Unlike the nice tools we have for RADIUS/TACACS+, we cannot perform any regular expressions or pattern matching to the Admin username entry.

Your bets bet would be to create a separate AD Group and move your power users there. Or not use AD at all, and then create local ISE Admin users.

View solution in original post

Arne Bier · ‎02-06-2020

When using an external User Group for ISE Admin login, you can only apply a "group" concept to the login authentication. It's purely membership based. Unlike the nice tools we have for RADIUS/TACACS+, we cannot perform any regular expressions or pattern matching to the Admin username entry.

Your bets bet would be to create a separate AD Group and move your power users there. Or not use AD at all, and then create local ISE Admin users.