Hello,
With ACS 5, I could do an authorization policy that checks if a user is in a specific AD group or if it is in a specific group locally in the ACS.
For example:
(AD-AD1:ExternalGroups contains any LANSwitchAdmins Or Internal Users:UserIdentityGroup in All Groups:Level 15)
In ISE, I don't know how to do that because I am creating an authorization rule as follows:
- Device:DeviceType Equals All Devices#Switches AND
- AD1:ExternalGroups Equals LANSwitchAdmins
I would like to be able to add a rule : OR
- Internal Users:UserIdentityGroup in All Groups:Level 15
But I cannot because the UI only allows to have only AND or only OR, without being able to change that...
Any clue ?
Best regards,
David