Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
0
Helpful
1
Replies

ISE: How to configure a policy to check if a users is in AD OR in local ?

david_mayor
Level 1
Level 1

‎07-31-2013 05:32 AM - edited ‎03-10-2019 08:42 PM

Hello,

With ACS 5, I could do an authorization policy that checks if a user is in a specific AD group or if it is in a specific group locally in the ACS.

For example:

(AD-AD1:ExternalGroups contains any LANSwitchAdmins Or Internal Users:UserIdentityGroup in All Groups:Level 15)

In ISE, I don't know how to do that because I am creating an authorization rule as follows:

- Device:DeviceType Equals All Devices#Switches AND

- AD1:ExternalGroups Equals LANSwitchAdmins

I would like to be able to add a rule : OR

- Internal Users:UserIdentityGroup in All Groups:Level 15

But I cannot because the UI only allows to have only AND or only OR, without being able to change that...

Any clue ?

Best regards,

David

Labels:
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎07-31-2013 08:30 PM

Hi,

The real way to get this to work is to use a compound authorizatoin condition where you can select the OR for AD or identity user group name, however I have not had any luck making this work even on ISE 1.1.4.

basically I was in the same situation as you where I had to build two different policies to make this work.

May want to open a TAC case since I am sure there is a bug on this but I havent had a chance to dig into this issue.

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents