cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

676
Views
0
Helpful
4
Replies
Highlighted
Beginner

Multiple "MemberOf"

Good afternoon,

How would ISE deal with an user that has multiple entries for "memberOf"for group assignment?  Would ISE use the 1st MemberOf value it encounter to assign a group?

Thanks.

Cath.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Yes, that was a typo on my end You want generic towards the bottom and specific towards the top. Think of it that way: Everyone is part of "domain users" so everyone would match that rule but not everyone would be a member of the "executives" so you would want the executives group to be above the domain users

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Hello Cath-

ISE will "read" the groups in the order that you have configured them in your authorization rules. So I would recommend that you place the more specific groups towards the bottom and the most common groups towards the bottom. For example:

IF member of executives then authorization profile executives_users

IF member of domain users then authorization profile regular_users

Thank you for rating!

Highlighted
Beginner

Thanks Neno.

Could you please clarify your suggestion "...I would recommend that you place the more specific groups towards the bottom and the most common groups towards the bottom".  

You mean placing the specific at the top and the generic at the bottom, right?

Thank you.

Cath.

Highlighted

Yes, that was a typo on my end You want generic towards the bottom and specific towards the top. Think of it that way: Everyone is part of "domain users" so everyone would match that rule but not everyone would be a member of the "executives" so you would want the executives group to be above the domain users

View solution in original post

Highlighted

Thank you Neno for all your help.

Regards,

cath.

Content for Community-Ad