Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1095
Views
0
Helpful
4
Replies

Multiple "MemberOf"

Go to solution
cpaquet
Level 1
Level 1

‎12-17-2012 09:37 AM - edited ‎03-10-2019 07:54 PM

Good afternoon,

How would ISE deal with an user that has multiple entries for "memberOf"for group assignment?  Would ISE use the 1st MemberOf value it encounter to assign a group?

Thanks.

Cath.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to cpaquet

‎12-18-2012 04:48 PM

Yes, that was a typo on my end You want generic towards the bottom and specific towards the top. Think of it that way: Everyone is part of "domain users" so everyone would match that rule but not everyone would be a member of the "executives" so you would want the executives group to be above the domain users

View solution in original post

0 Helpful
4 Replies 4

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-17-2012 08:08 PM

Hello Cath-

ISE will "read" the groups in the order that you have configured them in your authorization rules. So I would recommend that you place the more specific groups towards the bottom and the most common groups towards the bottom. For example:

IF member of executives then authorization profile executives_users

IF member of domain users then authorization profile regular_users

Thank you for rating!

0 Helpful

Go to solution
cpaquet
Level 1
Level 1

‎12-18-2012 04:02 AM

Thanks Neno.

Could you please clarify your suggestion "...I would recommend that you place the more specific groups towards the bottom and the most common groups towards the bottom".  

You mean placing the specific at the top and the generic at the bottom, right?

Thank you.

Cath.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to cpaquet

‎12-18-2012 04:48 PM

Yes, that was a typo on my end You want generic towards the bottom and specific towards the top. Think of it that way: Everyone is part of "domain users" so everyone would match that rule but not everyone would be a member of the "executives" so you would want the executives group to be above the domain users

0 Helpful

Go to solution
cpaquet
Level 1
Level 1
In response to nspasov

‎12-19-2012 04:38 AM

Thank you Neno for all your help.

Regards,

cath.

0 Helpful
Customers Also Viewed These Support Documents