Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE Device Admin using active directory

I can't seem to work this one out... how do you match against an AD group at the authentication level (not authorisation) I have a wide AD group selected under the AD external identity sources (covering all corporate wireless users) I don't want those users to be able to authenticate and gain access to the CLI of our network devices. 

Rising star

The default ISE Authorization policy (in 2.1) seems to be:

Command Set:DenyAllCommands
Shell Profiles:<Blank>

If you change the Shell Profile in Tacacs_Default to "Deny All Shell Profile" then this should prevent unauthorised users from accessing the cli.


Information related to user identity (such as AD related info, internal users or others) can only be leveraged after authentication

For the example that you give can authenticate against AD and then create Authorization rules that match against specific groups to allow access. All other groups (default rule) can be assigned the result "Deny Access"

Yes, but I don't understand why you can't focus the authentication to a specific AD group. In most deployments where you are providing Wired, Wireless and Device admin you will almost certainly capture most of your users within AD.

This can't be the case.. I must be missing something here!

I got this working. Instead of using AD I created two separate LDAP external sources. One only having access to the RW AD groups and the other only having access via the RO AD groups. 

Its a shame you can't create two direct AD relationships, that would have been ideal. 

I agree, but this still allows a user to authenticate. I don't want to allow users not in a specific group to access the cli.

If you could add a separate AD Join point and only permit the required groups this would work, but ISE only allows you to have a single join point per active directory domain. 

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube