cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

884
Views
0
Helpful
5
Replies
Highlighted
Beginner

ISE Device Admin using active directory

I can't seem to work this one out... how do you match against an AD group at the authentication level (not authorisation) I have a wide AD group selected under the AD external identity sources (covering all corporate wireless users) I don't want those users to be able to authenticate and gain access to the CLI of our network devices. 

Everyone's tags (1)
5 REPLIES 5
Highlighted
Contributor

The default ISE Authorization

The default ISE Authorization policy (in 2.1) seems to be:

Name:Tacacs_Default
Command Set:DenyAllCommands
Shell Profiles:<Blank>


If you change the Shell Profile in Tacacs_Default to "Deny All Shell Profile" then this should prevent unauthorised users from accessing the cli.

hth
Andy

Highlighted
Rising star

Information related to user

Information related to user identity (such as AD related info, internal users or others) can only be leveraged after authentication

For the example that you give can authenticate against AD and then create Authorization rules that match against specific groups to allow access. All other groups (default rule) can be assigned the result "Deny Access"

Highlighted
Beginner

Yes, but I don't understand

Yes, but I don't understand why you can't focus the authentication to a specific AD group. In most deployments where you are providing Wired, Wireless and Device admin you will almost certainly capture most of your users within AD.

This can't be the case.. I must be missing something here!

Highlighted
Beginner

I got this working. Instead

I got this working. Instead of using AD I created two separate LDAP external sources. One only having access to the RW AD groups and the other only having access via the RO AD groups. 

Its a shame you can't create two direct AD relationships, that would have been ideal. 

Highlighted
Beginner

I agree, but this still

I agree, but this still allows a user to authenticate. I don't want to allow users not in a specific group to access the cli.

If you could add a separate AD Join point and only permit the required groups this would work, but ISE only allows you to have a single join point per active directory domain.