Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1791
Views
15
Helpful
6
Replies

ISE policy to allow clients that do not belong to any AD Group

jphilp
Level 1
Level 1

‎01-10-2022 01:26 AM

Hi 

I'm running and ISE (version 3). I want to create an authorization policy that only allow clients to connect that have a certificate but do not belong to an AD group. Is this possible? 

I already have a policy that allows clients to another SSID that have a certificate and belong to a specific AD group which works fine.

I am setting up a new SSID. Devices that will connect to this new SSID are not able to join an AD group.

 

So, the rules would be:

1. has a certificate

2. belongs to SSID ABC123

3. is not a member of any AD group

 

any help would be appreciated.

0 Helpful
6 Replies 6

Marcelo Morais
VIP
VIP

‎01-10-2022 02:37 AM

Hi @jphilp ,

 an User is member of Domain Users Group, please try to add this Condition:

3. User is NOT member of the Domain Users Group. ("AD.ExternalGroups NOT EQUALS AD/Domain Users Group")

 

Hope this helps !!!

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎01-10-2022 02:04 PM

Yes, this is an approach I have used for customer MacOS and Linux endpoint authentication in the past. Ideally, the certificate used by the endpoint should have some unique value that can be matched on that differentiates it from other AD-joined endpoints (OU, Root/Issuer CA, etc).

You would need to configure the following:

1. Ensure the Root CA chain is trusted in ISE and the endpoint trusts the ISE EAP cert

2. Create a Certificate Authentication Profile (CAP) with the Identity Store value set to [not applicable]

3. Create an AuthC Policy that matches on your unique cert value and uses the new CAP

4. Create an AuthZ Policy that also matches on your unique cert value

Example AuthC Policy:

Screen Shot 2022-01-11 at 9.03.16 am.png

Example AuthZ Policy:

Screen Shot 2022-01-11 at 9.01.52 am.png

Arne Bier
VIP
VIP

‎01-10-2022 03:10 PM

Hello @jphilp 

 

I am curious how you managed to create an AD user object and not have that object be a member of ANY Groups? As far as I know, every AD user must have a Primary AD Group set.

 

0 Helpful

jphilp
Level 1
Level 1
In response to Arne Bier

‎01-11-2022 01:57 AM

They are not AD objects. These are radio devices that need to connect to WiFi to carry out software upgrades so they don't/can't belong to an AD group. I want this rule to stop any laptops connecting to this SSID i.e. if anything that tries to join is a member of any AD group then they will fail authorization.

0 Helpful

Arne Bier
VIP
VIP
In response to jphilp

‎01-11-2022 02:29 AM

Oh right. Sorry I missed the part about you not wanting to lookup the endpoint identity in any identity store. As Greg pointed out, the CAP without lookup will do that. 

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎01-14-2022 11:20 AM

Hi,

I don't think you can select 'not a member of any AD group'. Because in AD
users will be in a default group if you don't assign any group manually.
You should create a group (e.g. called in NODOMAIN) and assign these users
to it. Then match this group.

If your goal to provide non-domain users access to the network, then you
need to go with ISE Guest Access rather than not in AD group.

**** please remember to rate useful posts
0 Helpful
Customers Also Viewed These Support Documents