cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2240
Views
0
Helpful
5
Replies

ISE Device Admin using active directory

rgreville666
Level 1
Level 1

I can't seem to work this one out... how do you match against an AD group at the authentication level (not authorisation) I have a wide AD group selected under the AD external identity sources (covering all corporate wireless users) I don't want those users to be able to authenticate and gain access to the CLI of our network devices. 

5 Replies 5

andrewswanson
Level 7
Level 7

The default ISE Authorization policy (in 2.1) seems to be:

Name:Tacacs_Default
Command Set:DenyAllCommands
Shell Profiles:<Blank>


If you change the Shell Profile in Tacacs_Default to "Deny All Shell Profile" then this should prevent unauthorised users from accessing the cli.

hth
Andy

Information related to user identity (such as AD related info, internal users or others) can only be leveraged after authentication

For the example that you give can authenticate against AD and then create Authorization rules that match against specific groups to allow access. All other groups (default rule) can be assigned the result "Deny Access"

Yes, but I don't understand why you can't focus the authentication to a specific AD group. In most deployments where you are providing Wired, Wireless and Device admin you will almost certainly capture most of your users within AD.

This can't be the case.. I must be missing something here!

I got this working. Instead of using AD I created two separate LDAP external sources. One only having access to the RW AD groups and the other only having access via the RO AD groups. 

Its a shame you can't create two direct AD relationships, that would have been ideal. 

I agree, but this still allows a user to authenticate. I don't want to allow users not in a specific group to access the cli.

If you could add a separate AD Join point and only permit the required groups this would work, but ISE only allows you to have a single join point per active directory domain.