01-10-2022 01:26 AM
Hi
I'm running and ISE (version 3). I want to create an authorization policy that only allow clients to connect that have a certificate but do not belong to an AD group. Is this possible?
I already have a policy that allows clients to another SSID that have a certificate and belong to a specific AD group which works fine.
I am setting up a new SSID. Devices that will connect to this new SSID are not able to join an AD group.
So, the rules would be:
1. has a certificate
2. belongs to SSID ABC123
3. is not a member of any AD group
any help would be appreciated.
01-10-2022 02:37 AM
Hi @jphilp ,
an User is member of Domain Users Group, please try to add this Condition:
3. User is NOT member of the Domain Users Group. ("AD.ExternalGroups NOT EQUALS AD/Domain Users Group")
Hope this helps !!!
01-10-2022 02:04 PM
Yes, this is an approach I have used for customer MacOS and Linux endpoint authentication in the past. Ideally, the certificate used by the endpoint should have some unique value that can be matched on that differentiates it from other AD-joined endpoints (OU, Root/Issuer CA, etc).
You would need to configure the following:
1. Ensure the Root CA chain is trusted in ISE and the endpoint trusts the ISE EAP cert
2. Create a Certificate Authentication Profile (CAP) with the Identity Store value set to [not applicable]
3. Create an AuthC Policy that matches on your unique cert value and uses the new CAP
4. Create an AuthZ Policy that also matches on your unique cert value
Example AuthC Policy:
Example AuthZ Policy:
01-10-2022 03:10 PM
Hello @jphilp
I am curious how you managed to create an AD user object and not have that object be a member of ANY Groups? As far as I know, every AD user must have a Primary AD Group set.
01-11-2022 01:57 AM
They are not AD objects. These are radio devices that need to connect to WiFi to carry out software upgrades so they don't/can't belong to an AD group. I want this rule to stop any laptops connecting to this SSID i.e. if anything that tries to join is a member of any AD group then they will fail authorization.
01-11-2022 02:29 AM
Oh right. Sorry I missed the part about you not wanting to lookup the endpoint identity in any identity store. As Greg pointed out, the CAP without lookup will do that.
01-14-2022 11:20 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide