06-12-2013 04:28 AM - edited 02-21-2020 04:54 AM
Hello
I´ve got a problem with the authorization to use a condition with an External Group from the LDAP.
I bind the LDAP-Server to the ISE and can select all groups that I need for my authorization condition.
Now I want to create an authorization profile with the use of the group “Admins”.
My policy looks like:
LDAP: ExternalGroups EQUALS CN=Admins,DC=mydomain,DC=com
The live monitor said every time reject by authorization profile. If I use NOT EQUALS, then the computer get access to the network. It is very confused, because the computer is a member of the group “Admins”.
Can anybody help?
Many thanks.
06-18-2013 01:42 AM
I've seen issues while selecting LDAP as an external db with condition/attribute as ExternalGroups. Could you please go to live authentication , clcik on the magnifying glass and paste the details of failed attempt. I would like to know if this group is coming up in the memberOf attributes for the user.
Jatin Katyal
- Do rate helpful posts -
06-19-2013 12:54 AM
The appendix is an excerpt. I used the group "domain computers" for test. But I can´t see the group in the attributtes.
I hope it is helpful.
In the appendix are some missing. Here are the Other Attributes:
MTU=1500,CPMSessionID=AC1C01C7000000040022D940,EndPointMACAddress=93-9A-88-AD-18-EE,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.178.254,Called-Station-ID=02:81:D0:11:EC:31
06-20-2013 05:08 AM
Since it's not coming in authentication request there is no way the condition will get matched. Please don't use domain computers group for user authentication. Could you please assign user a different group like domain admins and test again.
Jatin Katyal
- Do rate helpful posts -
06-26-2013 01:38 AM
The same effect. The ISE said "Authentication failed : 15039 Rejected per authorization profile".
I tried 3 groups without success.
07-01-2013 09:35 AM
post screenshot of your authorization rules.
07-03-2013 12:29 AM
Here the screenshot
08-28-2013 07:32 AM
Has anybody an idea? The problem still exists.
I have bind the LDAP add groups from directory once again. But the same effect.
If I use
LDAP:ExternalGroups Equals CN=domain computers,OU=computer, DC=mydomain,DC=com
Mycomputer get no network access. Without this condition I get full access. I despair of this problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide