Solved: Re: LDAP query

pschnake · ‎08-16-2017

I have a customer having some issues with creating authorization policies based on LDAP attributes. See below:

They want to control MAB workstations network placement based on gidNumbers.

Two authorization policies defined with ISE for MAB:

rule 1 - Wired_MAB and ldap:ExternalGroups EQUALS 1000 then dacl_test

rule 2 - Wired_MAB then dacl_no_gid

Following device authentication via the LDAP and during the authorization phase devices matching rule #1 are skipping rule 1 and matching the simpler rule 2. We want to control workstation placement based on gidNumber or some other ldap group membership or ldap attribute. In this way, we can script ldapmodify to move workstations through various phases of our build and analysis both before and after users have done their work.

Is there something missing in the policy? Is there a better way to accomplish matching on the gidNumber?

Thanks

- Paul

pschnake · ‎08-17-2017

Thanks. They are running 2.2 but not sure of the patch level. And, the customer figured it out. He was able to fix the ldap gid issue by using the gid as an attribute rather than trying to match the gid from the group.

View solution in original post

Charlie Moreton · ‎08-17-2017

What version/Patch Level are you running on ISE?

You might try to write

rule 1 - ldap:ExternalGroups EQUALS 1000 and Wired_MAB then dacl_test

pschnake · ‎08-17-2017

Thanks. They are running 2.2 but not sure of the patch level. And, the customer figured it out. He was able to fix the ldap gid issue by using the gid as an attribute rather than trying to match the gid from the group.