Using Active Directory/LDAP for External SGT Assignment with Cisco ISE

faylee · ‎04-26-2021

Create your new custom Active Directory attribute (refer to Microsoft documentation for further detail). For this example, I created a new AD attribute called "SGT".
Set the value for your custom attribute. For this example, I set SGT="Docs"
On ISE, navigate to Administration->Identity Management->External Identity Sources->Active Directory<Select your AD server>.
Select the Attributes tab and click "Add Attribute" to add your custom attribute
Navigate to Policy->Policy Sets-> <policy set name>->Authorization Policy and select/create an authorization policy.
Using the condition studio attribute editor, select use your custom attribute as a policy condition
Set the attribute value.
Click Use. Finish configuring the authorization policy and click Save

____________________________________________________________________________________

The solution above uses an attribute value in AD as a condition in authorization rules resulting in assigning an SGT.

As such, multiple authorization rules are required to assign different SGTs.

Use the following method if you would like to dynamically assign the SGT as specified within the AD user attribute.

1) Choose an existing unused attribute in AD user (supporting text) or add a new attribute for this use.

Below I have chosen the existing alt.SecurityIdentities AD attribute.

Edit the value of that user's attribute and enter what ISE would use to assign an SGT within the authorization success AV pair:

Enter "cts:security-group-tag=xxxx" where xxxx is in hex so SGT 18 for HVAC is 12:

Screenshot 2021-04-28 at 14.03.56.png

2) In ISE, retrieve that attribute from AD to use in the authorization process:

Screenshot 2021-04-28 at 14.06.44.png

3) In the ISE authorization profile, add a custom attribute as shown below:

Screenshot 2021-04-28 at 14.08.45.png

4) Now, when that user (hvac2) authenticates, it gets assigned the SGT as configured within the AD attribute.

Attribute shows up in ISE authorization accept:

SGT within auth session for the user:

Kernow-Cat9300-b#sh auth sess int g1/0/1 det

Interface: GigabitEthernet1/0/1

IIF-ID: 0x1D2E8A50

MAC Address: 0050.568f.784f

IPv6 Address: fe80::cc34:7361:cd10:ac53

IPv4 Address: 10.6.5.100

User-Name: hvac2

Device-type: Microsoft-Workstation

Device-name: MSFT 5.0

Status: Authorized

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Session timeout: N/A

Acct update timeout: 172800s (local), Remaining: 172759s

Common Session ID: 0219040A0000003718413DB7

Acct Session ID: 0x000000cd

Handle: 0xae00002c

Current Policy: PMAP_DefaultWiredDot1xOpenAuth_1X_MAB

Local Policies:

Server Policies:

Vlan Group: Vlan: 1021

SGT Value: 18

Method status list:

Method State

dot1x Authc Success

Outcome: One ISE authz rule required to assign many different SGTs, based on an attribute within the AD user entry.

Lanbus41894 · ‎02-09-2022

Hello,
Thanks for your post, I am trying to do that using extendedAttributes to validate the workflow.
However, ISE does not retrieve those attributes. Is there something to do to force it to retrieve all attributes ?

Lanbus41894 · ‎02-09-2022

My bad,
For information, and the next that will have the question, it takes some time for the ise to see that the attribute is filled and to retrieve it for the first time. This morning it works for me.