topic Re: Device authentication with Tacacs using RSA and AD in Network Access Control

Device authentication with Tacacs using RSA and AD

kondzio24 — Thu, 20 Jun 2019 12:46:07 GMT

Both RSA and AD are setup as external identities. RSA is also using AD as identity store. So effectively all accounts are present in both ext. ID stores. What I’m trying is to set my policy so that when I use an account that ends “_a” it requires to use RSA 2/fa. All other accounts in that match specific security group just get in with read only.

Is there a way to match “_a” accounts to be authenticated against certain ext ID store, RSA in my case? I’ve tried with “contains” and “end with” in the policy but doesn’t seem to make a difference and it simply doesn’t want to match.

Re: Device authentication with Tacacs using RSA and AD

rubenvankomen — Thu, 20 Jun 2019 17:26:56 GMT

Hello,

As you described, you can match an attribute to a value in the authentication policy to make sure that certain users use a specific Identity Store or Identity Store Sequence. Can you please confirm that you are using the Device Administration Policy set (Work Centers > Device Administration > Device Admin Policy Sets) and not the Network Acces Policy set for TACACS+ Device Administration?

If you are using the correct Policy set, can you provide a screenshot of the condition?

Re: Device authentication with Tacacs using RSA and AD

hslai — Tue, 02 Jul 2019 04:09:24 GMT

Adding to what rubenvankomen suggested...

Below is an example of T+ policy sets similar to what you asked for and I tested working:

Two policy sets: One with TACACS.User endsWith 1 and the other is default.

The Username ends with 1 Policy set uses MFA (e.g. DuoRADIUS)

The default policy set uses AD to auth the users.