cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1994
Views
0
Helpful
7
Replies

Cisco ISE LDAP

Marco Serato
Level 1
Level 1

Hello

I´ve got a problem with the authorization to use a condition with an External Group from the LDAP.

I bind the LDAP-Server to the ISE and can select all groups that I need for my authorization condition.

Now I want to create an authorization profile with the use of the group “Admins”.

My policy looks like:

LDAP: ExternalGroups EQUALS CN=Admins,DC=mydomain,DC=com

The live monitor said every time reject by authorization profile. If I use NOT EQUALS, then the computer get access to the network. It is very confused, because the computer is a member of the group “Admins”.

Can anybody help?

Many thanks.

7 Replies 7

Jatin Katyal
Cisco Employee
Cisco Employee

I've seen issues while selecting LDAP as an external db with condition/attribute as ExternalGroups. Could you please go to live authentication , clcik on the magnifying glass and paste the details of failed attempt. I would like to know if this group is coming up in the memberOf attributes for the user.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Marco Serato
Level 1
Level 1

The appendix is an excerpt. I used the group "domain computers" for test. But I can´t see the group in the attributtes.

I hope it is helpful.

      

In the appendix are some missing. Here are the Other Attributes:

MTU=1500,CPMSessionID=AC1C01C7000000040022D940,EndPointMACAddress=93-9A-88-AD-18-EE,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.178.254,Called-Station-ID=02:81:D0:11:EC:31

Since it's not coming in authentication request there is no way the condition will get matched. Please don't use domain computers group for user authentication. Could you please assign user a different group like domain admins and test again.

Jatin Katyal
- Do rate helpful posts -

~Jatin

The same effect. The ISE said "Authentication failed : 15039 Rejected per authorization profile".

I tried 3 groups without success.

edondurguti
Level 4
Level 4

post screenshot of your authorization rules.

Here the screenshot


Has anybody an idea? The problem still exists.

I have bind the LDAP add groups from directory once again. But the same effect.

If I use

LDAP:ExternalGroups Equals CN=domain computers,OU=computer, DC=mydomain,DC=com

Mycomputer get no network access. Without this condition I get full access. I despair of this problem.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: