cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

286
Views
0
Helpful
1
Replies
Highlighted
Beginner

Seperate AD users to different authorization

Hi all,

Here is my another question after the command set. How to seperate the AD users for different authorization instead of using AD group? i currently do now is using AD group to control a few users for the authorization on the switch. However, customer requested for different AD users need have different authorization. Any idea for this?

thanks and regards

Jim

Everyone's tags (4)
1 REPLY 1
Rising star

Seperate AD users to different authorization

If there is no group or attribute in AD to define the conditions then need to create conditions based on username

There are two attributes that can use

- User-Name attribute in RADIUS IETF dictionary; this is username as presented in original RADIUS request

- UserName attribute in System dictionary

For protocol like PAP this will be the same; however for protocols where for example the initial username is presented as anonymous then the UserName attribute will contain the actual user name after all the prococol negociation and session establishment

So in general is always best to use the attribute in the system dictionary

Can select this as a contion by pressing "Customize" and selecting "System:UserName" as the condition

There needs to be one rule per user; with large numbers does not scale as well as group or attribute based rules