Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2005
Views
0
Helpful
7
Replies

Cisco ISE LDAP

Marco Serato
Level 1
Level 1

‎06-12-2013 04:28 AM - edited ‎02-21-2020 04:54 AM

Hello

I´ve got a problem with the authorization to use a condition with an External Group from the LDAP.

I bind the LDAP-Server to the ISE and can select all groups that I need for my authorization condition.

Now I want to create an authorization profile with the use of the group “Admins”.

My policy looks like:

LDAP: ExternalGroups EQUALS CN=Admins,DC=mydomain,DC=com

The live monitor said every time reject by authorization profile. If I use NOT EQUALS, then the computer get access to the network. It is very confused, because the computer is a member of the group “Admins”.

Can anybody help?

Many thanks.

0 Helpful
7 Replies 7

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-18-2013 01:42 AM

I've seen issues while selecting LDAP as an external db with condition/attribute as ExternalGroups. Could you please go to live authentication , clcik on the magnifying glass and paste the details of failed attempt. I would like to know if this group is coming up in the memberOf attributes for the user.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Marco Serato
Level 1
Level 1

‎06-19-2013 12:54 AM

The appendix is an excerpt. I used the group "domain computers" for test. But I can´t see the group in the attributtes.

I hope it is helpful.

      

In the appendix are some missing. Here are the Other Attributes:

MTU=1500,CPMSessionID=AC1C01C7000000040022D940,EndPointMACAddress=93-9A-88-AD-18-EE,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.178.254,Called-Station-ID=02:81:D0:11:EC:31

Preview file
122 KB
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Marco Serato

‎06-20-2013 05:08 AM

Since it's not coming in authentication request there is no way the condition will get matched. Please don't use domain computers group for user authentication. Could you please assign user a different group like domain admins and test again.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Marco Serato
Level 1
Level 1
In response to Jatin Katyal

‎06-26-2013 01:38 AM

The same effect. The ISE said "Authentication failed : 15039 Rejected per authorization profile".

I tried 3 groups without success.

0 Helpful

edondurguti
Level 4
Level 4

‎07-01-2013 09:35 AM

post screenshot of your authorization rules.

0 Helpful

Marco Serato
Level 1
Level 1
In response to edondurguti

‎07-03-2013 12:29 AM

Here the screenshot


0 Helpful

Marco Serato
Level 1
Level 1
In response to Marco Serato

‎08-28-2013 07:32 AM

Has anybody an idea? The problem still exists.

I have bind the LDAP add groups from directory once again. But the same effect.

If I use

LDAP:ExternalGroups Equals CN=domain computers,OU=computer, DC=mydomain,DC=com

Mycomputer get no network access. Without this condition I get full access. I despair of this problem.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card