Solved: only specific groups should get authenticated on ISE instead of entire AD

tabish bhat · ‎04-30-2016

Hello friends,

I integrated ISE to AD, but all users in AD are getting authenticated against my network devices and get landed in exec mode, though these users do not have privileges to do the configuration, only network admins are able to do so becoz i have defined admin groups names in authorization policy, now what i want to define only specific groups names in authentication policy instead of AD name, , is there any way to do so ?

Many thanks in advance.

Regards/Tash

jan.nielsen · ‎05-01-2016

That won't work, did you add the groups you wan't to check for membership of in the menu External Identity Sources/Active Directory/AD-name/Groups? The ones you add there, should show up when you press the + next to "if" and select the name you gave your external ad definition.

View solution in original post

jan.nielsen · ‎04-30-2016

You should just use more specific authorization rules for admins and then deny all others access, theres no need to create specific authentication rules.

tabish bhat · ‎04-30-2016

Hello Jan,

Thanks for the reply,

But that is what i did,

I created below rules in authorization policy,

Rule-name -any- AD-External groups equals to (Network admin groups)

deny-rule if no-match denyall. but users are still get authenticated for level 0

Please let me know if i am doing it correctly

Regards

Tash

jan.nielsen · ‎05-01-2016

Did you select the group in the first column right after the word "if" ? or have you put it in the conditions column after the word "and" ? It needs to be selected in the first one. Using conditions to match AD groups does not work.

It would help if you uploaded a screenshot of the rules.

tabish bhat · ‎05-01-2016

Hi Jan,

I have chosen "any" right after "if" becoz i could not find groups that i have retrieved from AD

After "any " "and "I have selected AD-External groups equals to admingroup.

Please find the screenshot.

Thanks

Tash

jan.nielsen · ‎05-01-2016

That won't work, did you add the groups you wan't to check for membership of in the menu External Identity Sources/Active Directory/AD-name/Groups? The ones you add there, should show up when you press the + next to "if" and select the name you gave your external ad definition.

tabish bhat · ‎05-02-2016

Hi Jan,

I need to check that becoz next to if i can see only AD- External groups and on the last tab i could find AD groups.

Thanks

Tash

jan.nielsen · ‎05-02-2016

Actually, i was wrong the identity groups you select in the column after the "if" is only internal ise identity groups, it should be chosen in the regular conditions as AD:Externalgroups="the group you added to your AD settings", that group should be listed.

tabish bhat · ‎05-02-2016

Hi jan

Yes..that is how i created these conditions..

Admin if any AD-External-group equals networkadmingroup.

Regards

Tabish

Joseph Johnson · ‎04-30-2016

Create a condition in the authorization rule that requires the External Groups for the AD to contain the Network Admins domain group (whatever it is called). If you have multiple groups, use the OR operator to have multiple external groups defined.

tabish bhat · ‎04-30-2016

Hi Joseph,

Thanks for your reply

I created below rules in authorization policy,

Rule-name -any- AD-External groups equals to (Network admin groups)

deny-rule if no-match denyall. but users are still get authenticated for level 0

Please let me know if i am doing it correctly.

Thanks & Regards

Tash

Joseph Johnson · ‎05-01-2016

That should work. It depends on any rules you have before that one that could hit first. Check your authentication logs after someone attempts to log in to make sure it is working.

You may have to change the Equals to Contains. I've had issues with nested groups and the equals not hitting.