Solved: Possible to assign SGT value from inside the Authorization Profile?

scamarda · ‎08-02-2017

ISE22P2. I have a customer that is using a single AuthZ rule / AuthZ Profile to assign an ASA Group Policy Value to his VPN users. He is using an AD field in the users record to identify and assign the group policy (AD-Instance:Department). Department is the value that is fed to the ASA and matches predefined group policies. This works well but now he is also looking to assign an SGT value to the VPN users as well. Assigning the SGT from the AuthZ policy level would require each user to be broken out into individual AuthZ rules. He would like to be able to cross-reference reference the AD-Instance:Department parameter to also assign the SGT value (the same way he is doing for the group policy).

I did not see any references in the console or the documentation. Want to double-check if this possible and if not what is feasibility to add SGT value from inside the AuthZ Profile capability?

Craig Hyps · ‎08-02-2017

Yes. The crux of the config is to set an existing attribute (for example, Description) to the desired SGT tag and then reference that value in ISE policy. For example:

Actual authorization: cisco-av-pair=cts:security-group-tag=000d-0

Using AD attribute lookup under Advanced Settings: cisco:cisco-av-pair=AD1:description

…where the value defined in the AD1 store for authenticating user X is “cts:security-group-tag=000d-0”

/Craig

View solution in original post

Craig Hyps · ‎08-02-2017

Yes. The crux of the config is to set an existing attribute (for example, Description) to the desired SGT tag and then reference that value in ISE policy. For example:

Actual authorization: cisco-av-pair=cts:security-group-tag=000d-0

Using AD attribute lookup under Advanced Settings: cisco:cisco-av-pair=AD1:description

…where the value defined in the AD1 store for authenticating user X is “cts:security-group-tag=000d-0”

/Craig

scamarda · ‎08-02-2017

Got it. Thanks