Solved: ISE >=2.7 - nested (indirect) AD groups - supported?

Marcus Hunold · ‎02-25-2022

Are nested (indirect) AD groups - supported by ISE >=2.7 ?

I want to check group membership in TACACS+ authorization.

Answers of people who already verified this fact are welcome

balaji.bandi · ‎02-25-2022

Active Directory Attribute and Group Retrieval for Use in Authorization Policies

Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.

Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:

Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.
Domain local groups outside a user’s or computer’s account domain are not supported.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_asset_visibility.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Mike.Cifelli · ‎02-25-2022

Are nested (indirect) AD groups - supported by ISE >=2.7 ? Did you verify that int the past by your own setup?

-Yes this will work. Just map to the top level AD sec group in your ISE authz conditions.

View solution in original post

balaji.bandi · ‎02-25-2022

Active Directory Attribute and Group Retrieval for Use in Authorization Policies

Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.

Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:

Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.
Domain local groups outside a user’s or computer’s account domain are not supported.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_asset_visibility.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marcus Hunold · ‎02-25-2022

Thank you for the quick answer.

Did you verify that int the past by your own setup?

(I am asking because my experiences with indirect AD groups were bad long long ago)

Mike.Cifelli · ‎02-25-2022

Are nested (indirect) AD groups - supported by ISE >=2.7 ? Did you verify that int the past by your own setup?

-Yes this will work. Just map to the top level AD sec group in your ISE authz conditions.

Marcus Hunold · ‎02-25-2022

I did my own test and I can confirm the provided answers

Thanks for the correct answers!