cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
436
Views
0
Helpful
3
Replies

Policy Set wrapper Creation with user AD group name

Jay Tiwari
Cisco Employee
Cisco Employee

Hi Team,

One of my customers wants to create Policy Set with condition of user AD group (at cover of policy set), however, i don't see option to select the AD group name.

 

Is there any idea if we will support in upcoming releases.

 

Thanks,

Jay

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

While I understand the requirement, I doubt ISE would do this, since it is non sensical because authentication has not yet taken place. In the Policy Set Conditions were are checking the radius attributes for hints about the type of authentication (e.g. Service-Type, etc) and who is making the request (e.g. NDG which is basically checking the source IP of the request ). Even if ISE had the ability to check AD Group, you would first need to have passed authentication in order to care about the users AD attributes and groups. It would be very CPU intensive to perform this check for every radius request prior to the authentication stage. 

AD Group checks are generally done during Authorization because it makes sense to do it here. Why does this not meet the customer’s needs?

View solution in original post

3 Replies 3

Arne Bier
VIP
VIP

While I understand the requirement, I doubt ISE would do this, since it is non sensical because authentication has not yet taken place. In the Policy Set Conditions were are checking the radius attributes for hints about the type of authentication (e.g. Service-Type, etc) and who is making the request (e.g. NDG which is basically checking the source IP of the request ). Even if ISE had the ability to check AD Group, you would first need to have passed authentication in order to care about the users AD attributes and groups. It would be very CPU intensive to perform this check for every radius request prior to the authentication stage. 

AD Group checks are generally done during Authorization because it makes sense to do it here. Why does this not meet the customer’s needs?

Hi,

I don't see how this will work. Technically you can read AD group before
authenticating the user successfully to get its attribute

I don’t get your response. Authentication simply checks if the credentials are valid and then continues onto authorization