Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2059
Views
10
Helpful
4
Replies

Unable to use AD groups for TACACS Authentication on ISE 2.0

Go to solution
alex lisogor
Level 1
Level 1

‎12-08-2015 02:06 PM - edited ‎03-10-2019 11:18 PM

I've tried following the guide on how to setup ISE 2.0 for TACACS device administration and when I get to the "Device admin policy sets" the only thing that I can use there are the default user identiity groups.  It doesn't let me choose an AD group.  Even if I create an identity group I am unable to map an AD group to it.  Am I missing something here? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to alex lisogor

‎12-09-2015 01:13 PM

Make sure  that you are using the 3rd box (from left to right) when building your condition based on AD groups. The 2nd box only looks at the internal Identity Store. So you will need to click on the 3rd box > Create New Condition > Select Attribute > AD1 (Or whatever you named your AD connection) > External Groups

I hope this helps!

Thank you for rating helpful posts! 

View solution in original post

4 Replies 4

Go to solution
richwood
Level 1
Level 1

‎12-09-2015 05:09 AM

You need to manually add the groups of choice from the AD source. I also found this difficult to track down in the documentation.

Navigate to External Identity Sources->Active Directory-> "your domain", select the domain you want to retrieve the groups from.

Across the page there are tabs for "Connection", "Authentication Domains", "Groups", "Attributes" and "Advances Settings".

Select the Groups option and click on the Add button. You can then retrieve the groups from that AD source and choose the ones that you want to be able to use.

Go to solution
alex lisogor
Level 1
Level 1
In response to richwood

‎12-09-2015 07:21 AM

Thanks for the response richwood.  I actually already have this portion of it done.  My issue is when I go into Worke Centres>Device admin policy sets>Default(tacacs_default)>Authorization policy>insert new rule above.  Under the conditions(identity groups and other conditions) the drop down there only gives me the listing of the default identity groups and I am not able to pull the AD groups from this menu, search manually doesn't do it, creating a new identity group and somehow mapping it to an AD group doesn't seem possible so I'm kinda stuck at this part of it. 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to alex lisogor

‎12-09-2015 01:13 PM

Make sure  that you are using the 3rd box (from left to right) when building your condition based on AD groups. The 2nd box only looks at the internal Identity Store. So you will need to click on the 3rd box > Create New Condition > Select Attribute > AD1 (Or whatever you named your AD connection) > External Groups

I hope this helps!

Thank you for rating helpful posts! 

Go to solution
richwood
Level 1
Level 1
In response to alex lisogor

‎12-10-2015 01:43 AM

I agree with Neno.

When you are on the authorization policy screen, add row, choose the third box which should say "condition(s)" then select "Create New Condition (Advance Option)" and choose Select Attribute and you should see your join point name for AD in the list. Choose your AD join point and select ExternalGroups. It will default to condition "Equals" and now your drop down choice should show the AD groups that you created earlier.

I think that I also had to create an appropriate shell profile before this step, so you may want to do that first.  Device Administration->Policy Results->TACACS Profiles. You will need default privilege and maximum privilege set on the profile.

0 Helpful
Customers Also Viewed These Support Documents