05-28-2019 02:31 AM - edited 05-28-2019 06:04 AM
Hi all,
We are going to implement Easy Connect with Trusted Domains.
We have groups from domain A and users from domain B.
TEST USER tool shows that ISE goes to joint point which is domain A but cannot find an user, then it goes to domain B and pull information regarding user from there. Unfortunately there are no required groups in domain B.
Is it normal behavior for ISE? Is it possible for ISE to understand that a group and user belong to different domains?
Solved! Go to Solution.
05-28-2019 03:05 PM
this situation is complex.
because you are retrieving a domain local group for users in outside of this domain
please check this document i believe it matches your scenario
Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.
Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:
Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.
Domain local groups outside a user’s or computer’s account domain are not supported.
from screenshots i can see they are domain local, if they were global things would have been different.
05-28-2019 02:49 PM
05-28-2019 03:05 PM
this situation is complex.
because you are retrieving a domain local group for users in outside of this domain
please check this document i believe it matches your scenario
Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.
Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:
Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.
Domain local groups outside a user’s or computer’s account domain are not supported.
from screenshots i can see they are domain local, if they were global things would have been different.
05-30-2019 05:20 AM
Dear Yalbikaw
Thank you for your answer. It was very useful!
06-07-2019 10:52 AM
happy to hear that :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide