https://community.cisco.com/t5/network-access-control/authentication-policies-order-of-operation-with-multiple-join/m-p/3868279#M472461 <P>Thanks for the reply. So the way around it is to use "If User not found - CONTINUE" option so the second authentication policy is checked?</P><P>&nbsp;</P><P>And also using a scope with both join points or identity source sequence with each individual join point would work with REJECT option right?</P><P>&nbsp;</P> Wed, 05 Jun 2019 16:56:00 GMT Madura Malwatte 2019-06-05T16:56:00Z https://community.cisco.com/t5/network-access-control/authentication-policies-order-of-operation-with-multiple-join/m-p/3868242#M472459 <P>I just wanted to confirm the behaviour, where I have two active directory join points in ISE. If I am not using scope mode or All_AD_Join_Points in Identity Source Sequences can I have multiple authentication policies with a single AD join point?</P><P>Example, I have two authentication polices with identical condition, but each one is referencing a different join point. If the user is not found in AD-server1 in rule 802.1x AD1, will ISE move to the next rule 802.1x AD2 and check the user in AD-server2?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2019-06-06 at 1.48.25 am.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/38092iFB02636509E1516B/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2019-06-06 at 1.48.25 am.jpg" alt="Screen Shot 2019-06-06 at 1.48.25 am.jpg" /></span></P> Wed, 05 Jun 2019 15:57:51 GMT https://community.cisco.com/t5/network-access-control/authentication-policies-order-of-operation-with-multiple-join/m-p/3868242#M472459 Madura Malwatte 2019-06-05T15:57:51Z https://community.cisco.com/t5/network-access-control/authentication-policies-order-of-operation-with-multiple-join/m-p/3868260#M472460 No, it will check the first policy and get rejected if the user is belong to AD server 2. As you have mentioned if user not found reject. Wed, 05 Jun 2019 16:17:18 GMT https://community.cisco.com/t5/network-access-control/authentication-policies-order-of-operation-with-multiple-join/m-p/3868260#M472460 Aravind Ravichandran 2019-06-05T16:17:18Z https://community.cisco.com/t5/network-access-control/authentication-policies-order-of-operation-with-multiple-join/m-p/3868279#M472461 <P>Thanks for the reply. So the way around it is to use "If User not found - CONTINUE" option so the second authentication policy is checked?</P><P>&nbsp;</P><P>And also using a scope with both join points or identity source sequence with each individual join point would work with REJECT option right?</P><P>&nbsp;</P> Wed, 05 Jun 2019 16:56:00 GMT https://community.cisco.com/t5/network-access-control/authentication-policies-order-of-operation-with-multiple-join/m-p/3868279#M472461 Madura Malwatte 2019-06-05T16:56:00Z https://community.cisco.com/t5/network-access-control/authentication-policies-order-of-operation-with-multiple-join/m-p/3868383#M472462 <P>If you provide condition continue it will move to the authorization policy.</P><P>&nbsp;</P><P>You can create a identity source sequence for AD1 and AD2. So that if the user not found on AD1 , then it will do the look up on AD2. This will happen based on the sequence you have defined.</P> Wed, 05 Jun 2019 19:17:02 GMT https://community.cisco.com/t5/network-access-control/authentication-policies-order-of-operation-with-multiple-join/m-p/3868383#M472462 Sathiyanarayanan Ravindran 2019-06-05T19:17:02Z https://community.cisco.com/t5/network-access-control/authentication-policies-order-of-operation-with-multiple-join/m-p/3868515#M472463 Yes correct, user not found - continue option is used in case of guest user with mab authentication. And for dot1x, create a identity sequence and call both the AD and select the option as move to next identity store. Wed, 05 Jun 2019 23:33:30 GMT https://community.cisco.com/t5/network-access-control/authentication-policies-order-of-operation-with-multiple-join/m-p/3868515#M472463 Aravind Ravichandran 2019-06-05T23:33:30Z https://community.cisco.com/t5/network-access-control/authentication-policies-order-of-operation-with-multiple-join/m-p/3874677#M472465 <P>Scope is used to have multiple join points. These join points may not be trusted. You will be using the scope in the auth policy or Identity source sequence. At that point ISE checks the join points in the scopes or Identity source sequence since it is part of the same policy, "The USER not found = Reject" does not impact as long as the join points, User stores are part of scopes or ISS.</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#concept_2D3FDBAD9F50469BA09704BF409209C7" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#concept_2D3FDBAD9F50469BA09704BF409209C7</A></P> <P>&nbsp;</P> <P>Thanks</P> <P>Krishnan</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 18 Jun 2019 00:37:04 GMT https://community.cisco.com/t5/network-access-control/authentication-policies-order-of-operation-with-multiple-join/m-p/3874677#M472465 kthiruve 2019-06-18T00:37:04Z