02-25-2022 04:13 AM
Are nested (indirect) AD groups - supported by ISE >=2.7 ?
I want to check group membership in TACACS+ authorization.
Answers of people who already verified this fact are welcome
Solved! Go to Solution.
02-25-2022 04:19 AM
Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.
Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:
Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.
Domain local groups outside a user’s or computer’s account domain are not supported.
02-25-2022 07:00 AM
Are nested (indirect) AD groups - supported by ISE >=2.7 ? Did you verify that int the past by your own setup?
-Yes this will work. Just map to the top level AD sec group in your ISE authz conditions.
02-25-2022 04:19 AM
Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.
Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:
Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.
Domain local groups outside a user’s or computer’s account domain are not supported.
02-25-2022 04:38 AM
Thank you for the quick answer.
Did you verify that int the past by your own setup?
(I am asking because my experiences with indirect AD groups were bad long long ago)
02-25-2022 07:00 AM
Are nested (indirect) AD groups - supported by ISE >=2.7 ? Did you verify that int the past by your own setup?
-Yes this will work. Just map to the top level AD sec group in your ISE authz conditions.
02-25-2022 07:19 AM
I did my own test and I can confirm the provided answers
Thanks for the correct answers!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide