cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1507
Views
0
Helpful
7
Replies
Highlighted
Beginner

Cisco ISE LDAP

Hello

I´ve got a problem with the authorization to use a condition with an External Group from the LDAP.

I bind the LDAP-Server to the ISE and can select all groups that I need for my authorization condition.

Now I want to create an authorization profile with the use of the group “Admins”.

My policy looks like:

LDAP: ExternalGroups EQUALS CN=Admins,DC=mydomain,DC=com

The live monitor said every time reject by authorization profile. If I use NOT EQUALS, then the computer get access to the network. It is very confused, because the computer is a member of the group “Admins”.

Can anybody help?

Many thanks.

7 REPLIES 7
Highlighted
Cisco Employee

Re: Cisco ISE LDAP

I've seen issues while selecting LDAP as an external db with condition/attribute as ExternalGroups. Could you please go to live authentication , clcik on the magnifying glass and paste the details of failed attempt. I would like to know if this group is coming up in the memberOf attributes for the user.

Jatin Katyal
- Do rate helpful posts -

~Jatin Katyal
Highlighted
Beginner

Re: Cisco ISE LDAP

The appendix is an excerpt. I used the group "domain computers" for test. But I can´t see the group in the attributtes.

I hope it is helpful.

      

In the appendix are some missing. Here are the Other Attributes:

MTU=1500,CPMSessionID=AC1C01C7000000040022D940,EndPointMACAddress=93-9A-88-AD-18-EE,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.178.254,Called-Station-ID=02:81:D0:11:EC:31

Highlighted
Cisco Employee

Re: Cisco ISE LDAP

Since it's not coming in authentication request there is no way the condition will get matched. Please don't use domain computers group for user authentication. Could you please assign user a different group like domain admins and test again.

Jatin Katyal
- Do rate helpful posts -

~Jatin Katyal
Highlighted
Beginner

Re: Cisco ISE LDAP

The same effect. The ISE said "Authentication failed : 15039 Rejected per authorization profile".

I tried 3 groups without success.

Highlighted
Enthusiast

Re: Cisco ISE LDAP

post screenshot of your authorization rules.

Highlighted
Beginner

Re: Cisco ISE LDAP

Here the screenshot


Highlighted
Beginner

Re: Cisco ISE LDAP

Has anybody an idea? The problem still exists.

I have bind the LDAP add groups from directory once again. But the same effect.

If I use

LDAP:ExternalGroups Equals CN=domain computers,OU=computer, DC=mydomain,DC=com

Mycomputer get no network access. Without this condition I get full access. I despair of this problem.