I write this post because I face an issue with the External Group coming from my active directory on authorization policies.
We have several nested groups under a kind of root group, such as :
NETWORK_USER > CISCO
NETWORK_USER > OTHER_VENDOR
My goal is to use the nested group in order to build my AuthZ policies to select the group dedicated to the right technology to allow only technology "owner" to login into the switch.
Unfortunately, when ISE is retrieving groups from AD for a user who is trying to connect, it will only retrieve the root group (NETWORK_USER) and not the "Cisco" or "Other_Vendor" group.
Is it something possible to do ? Do you already faced this kind of issue ?
Thanks for your help !
Have you tried testing the user's Group assignment, by doing a Test User in the External Identity Sources > AD ? You can perform a "Lookup" on a user without needing to know their password. ISE will tell you what AD Groups that user is a member of. There is no magic involved here, because it's an exact dump of the AD Group Membership of that user (ISE doesn't mess that up). If the user is a member of NETWORK_USER > CISCO then ISE will tell you.
I suspect that your AD structure is made up of OUs and not Security Groups. Those are two different things in AD.
Let's assume that you have and OU structure, then you can still perform this in ISE Authorization Policy. Take a look at this article that explains how to use the AD Attributes feature to perform OU matching.
Thanks for your feedback.
Sorry, something I didn't explain very well we’re not using a proper AD Join we are using the LDAP join so I can’t really Test the user.
I can see on which group the user belongs when clicking on “details” on the authentication. And I can see that the nested group is not shown for the user in ExternalGroup under “Other Attributes”.
But if I try to retrieve them on Ex ID Source > LDAP > Groups I can retrieve the nested group without any issues.
For example two of my not working nested group are CN=Cisco,OU=RADIUS,OU=Groups,OU=mydomain,DC=mydomain,DC=com & CN=Other,OU=RADIUS,OU=Groups,OU= mydomain,DC= mydomain,DC=com.
I find LDAP challenging at the best of times. I don't use it much, but each time I have to use a tool like LDAP Browser to remind me how things work. You can certainly test a user lookup in ISE under the LDAP Identity Source, then select the Attributes tab. Click "Add" and then choose "Select Attributes from Directory". In the Example Subject field, you must put the exact Subject string to retrieve a single account. E.g. in my lab I used CN=Arne Bier,CN=Users,DC=rnlab,DC=local - then click Retrieve Attributes.
Ok. Where to start... I am using Windows Server 2016 Active Directory and I have bound to the AD using LDAP TCP/389.
I created some dummy OUs and a Group within that OU. I then also added a test user into the Group.
The ISE search base DNs I used are the top-level of the domain rnlab.local. e.g. DC=rnlab,DC=local
I always modify the ISE LDAP schema, based on the default Active Directory schema, but instead of sUserPrincipalName, I use Subject Name Attribute = sAMAccountName.
Then I added two Groups - notice the DN structure
Policy AuthZ as follows
The Live Logs Details shows the results
Hello @Arne Bier
Thanks for your time over your lab.
That's not exactly the same issue i guess. Here you have a group in a specific OU and the user belongs to a specific group.
My goal is to have a user belonging to a specific group in which other groups are member of and retrieve them on ISE. For example :
I have my user 'myuser' who belongs to Network User group :
I also have "Cisco" and "Other" which are members of "Network_User" :
My goal is to say if myuser is a network_user, since other and cisco are members of network_user myuser will be implicitly member of Cisco and Other. With that i would like to permit all Network_Users to be part of Cisco and Other groups and also give me the possibility to add users from others group to be member of "Cisco" or "Other" group without being in Network User.
I don't know if it's more clear to you.