Menu Close

How to use Active Directory OUs in Cisco ISE Authorization Rules?

In this post I will show you how easy is to use Active Directory OUs in Cisco ISE authorization rules. Although it is not very common, but there are still a lot of companies around that are using the Active Directory OUs to segregate the users in Active Directory rather than using the groups.

In our lab we have an FTD appliance already configured with AnyConnect VPN profile. ISE is also configured on the FTD appliance as the authentication and authorization server. The AnyConnect authentication method we are going to use is username and password based.

Our ISE policy set for AnyConnect users is going to allow the users that are part of the Active Directory OU that is called MyUsers. We will be focusing only on the authorization part of the configuration.

First thing we need to do will be adding an Active Directory attribute which will allow us to use the OUs in our policy set. Then we will move on to create an authorization rule to only match the users that are part of our Active Directory OU MyUsers as mentioned above. Let's get started.

Step 1: Add Active Directory Attribute

Go to Administration > Identity Management > External Identity Sources > Attributes > Add > Select Attributes From Directory

Step 2: Select Active Directory distinguishedName

Type any existing username on Active Directory and click Retrieve Attributes and finally select distinguishedName and click OK

You can also add an Active Directory attribute by clicking Add > Add Attribute and typing the attribute name.

Click Save

Step 3: Add Authorization Rule

Go to Policy > Policy Sets > Authorization Policy

You might need to wait a couple of minutes before the distinguishedName attribute shows up on the list.

You can also use Matches with .*(myusers).*, .*(ou=myusers).*, or .*(ou=MyUsers). All of them worked for me.


Before we wrap up this post about how to use Active Directory OUs in Cisco ISE authorization rules, I want to show you how you can set up ISE authorization rule to distinguish the exact path of the OU rather than using the individual OU names.

For instance, say you have two OUs with the same name, but each one is located in a different place. The way how to set up ISE authorization rule in that case should include the whole OU path. For example, say we have two OUs called test, but one is located under MyUsers OU and the other is located under MyDevices OU. In that case, the authorization rule on ISE should look similar to this:

This wraps up this post about how to use Active Directory OUs in Cisco ISE authorization rules.

Thank you for reading!

Posted in Blog, ISE, Security, Tips & Tricks

Related Posts

Scroll To Top
Share via
Copy link
Powered by Social Snap