https://community.cisco.com/t5/network-access-control/ise-radius-authentication-match-on-ad-group-membership-to-base/m-p/4015841#M454383 <P><SPAN>Is it possible to&nbsp;match upon initial Authentication against an AD Group to then have a different Identity Source used? </SPAN></P><P>&nbsp;</P><P><SPAN>Generally I'm only aware of it being possible to match against an AD Group AFTER a User has authenticated via an Authorization Policy. </SPAN><SPAN>Use Case is for VPN users, and the client wants to slowly role out changing authentication sources (AD to MFA). I've gotten the standard method I'm aware of working, which is via matching on a different Group-Policy and/or Tunnel-Group from the ASA, but they were looking for an easier method to deploy to end users. </SPAN></P><P>&nbsp;</P><P><SPAN>If they can't get it to work this way, then I'll just work on modifying the AnyConnect Profile to point to the new FQDN URL and call it good, but I wanted to ask this space if they had ever tried matching against AD Group during initial Authentication Queries. </SPAN></P><P>&nbsp;</P><P><SPAN>I'm thinking not, the more I think of it, as the endpoint/user hasn't been sent to the Identity Source which would then pull/provide those details.</SPAN></P> Wed, 22 Jan 2020 03:21:36 GMT jason.erbe 2020-01-22T03:21:36Z https://community.cisco.com/t5/network-access-control/ise-radius-authentication-match-on-ad-group-membership-to-base/m-p/4015841#M454383 <P><SPAN>Is it possible to&nbsp;match upon initial Authentication against an AD Group to then have a different Identity Source used? </SPAN></P><P>&nbsp;</P><P><SPAN>Generally I'm only aware of it being possible to match against an AD Group AFTER a User has authenticated via an Authorization Policy. </SPAN><SPAN>Use Case is for VPN users, and the client wants to slowly role out changing authentication sources (AD to MFA). I've gotten the standard method I'm aware of working, which is via matching on a different Group-Policy and/or Tunnel-Group from the ASA, but they were looking for an easier method to deploy to end users. </SPAN></P><P>&nbsp;</P><P><SPAN>If they can't get it to work this way, then I'll just work on modifying the AnyConnect Profile to point to the new FQDN URL and call it good, but I wanted to ask this space if they had ever tried matching against AD Group during initial Authentication Queries. </SPAN></P><P>&nbsp;</P><P><SPAN>I'm thinking not, the more I think of it, as the endpoint/user hasn't been sent to the Identity Source which would then pull/provide those details.</SPAN></P> Wed, 22 Jan 2020 03:21:36 GMT https://community.cisco.com/t5/network-access-control/ise-radius-authentication-match-on-ad-group-membership-to-base/m-p/4015841#M454383 jason.erbe 2020-01-22T03:21:36Z https://community.cisco.com/t5/network-access-control/ise-radius-authentication-match-on-ad-group-membership-to-base/m-p/4015877#M454385 Hi<BR /><BR />You can't use ad group in the authentication rule, only on authorization.<BR />You need to differentiate using other attributes like you said.<BR /> Wed, 22 Jan 2020 04:38:49 GMT https://community.cisco.com/t5/network-access-control/ise-radius-authentication-match-on-ad-group-membership-to-base/m-p/4015877#M454385 Francesco Molino 2020-01-22T04:38:49Z