12-08-2015 02:06 PM - edited 03-10-2019 11:18 PM
I've tried following the guide on how to setup ISE 2.0 for TACACS device administration and when I get to the "Device admin policy sets" the only thing that I can use there are the default user identiity groups. It doesn't let me choose an AD group. Even if I create an identity group I am unable to map an AD group to it. Am I missing something here?
Solved! Go to Solution.
12-09-2015 01:13 PM
Make sure that you are using the 3rd box (from left to right) when building your condition based on AD groups. The 2nd box only looks at the internal Identity Store. So you will need to click on the 3rd box > Create New Condition > Select Attribute > AD1 (Or whatever you named your AD connection) > External Groups
I hope this helps!
Thank you for rating helpful posts!
12-09-2015 05:09 AM
You need to manually add the groups of choice from the AD source. I also found this difficult to track down in the documentation.
Navigate to External Identity Sources->Active Directory-> "your domain", select the domain you want to retrieve the groups from.
Across the page there are tabs for "Connection", "Authentication Domains", "Groups", "Attributes" and "Advances Settings".
Select the Groups option and click on the Add button. You can then retrieve the groups from that AD source and choose the ones that you want to be able to use.
12-09-2015 07:21 AM
Thanks for the response richwood. I actually already have this portion of it done. My issue is when I go into Worke Centres>Device admin policy sets>Default(tacacs_default)>Authorization policy>insert new rule above. Under the conditions(identity groups and other conditions) the drop down there only gives me the listing of the default identity groups and I am not able to pull the AD groups from this menu, search manually doesn't do it, creating a new identity group and somehow mapping it to an AD group doesn't seem possible so I'm kinda stuck at this part of it.
12-09-2015 01:13 PM
Make sure that you are using the 3rd box (from left to right) when building your condition based on AD groups. The 2nd box only looks at the internal Identity Store. So you will need to click on the 3rd box > Create New Condition > Select Attribute > AD1 (Or whatever you named your AD connection) > External Groups
I hope this helps!
Thank you for rating helpful posts!
12-10-2015 01:43 AM
I agree with Neno.
When you are on the authorization policy screen, add row, choose the third box which should say "condition(s)" then select "Create New Condition (Advance Option)" and choose Select Attribute and you should see your join point name for AD in the list. Choose your AD join point and select ExternalGroups. It will default to condition "Equals" and now your drop down choice should show the AD groups that you created earlier.
I think that I also had to create an appropriate shell profile before this step, so you may want to do that first. Device Administration->Policy Results->TACACS Profiles. You will need default privilege and maximum privilege set on the profile.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide