topic ISE Authorization with multiple Identity Stores in Network Access Control

ISE Authorization with multiple Identity Stores

hsangral — Sun, 24 Mar 2019 09:10:05 GMT

Hello,

After converting the ACS config to ISE i noticed that there are rules with conditions which check multiple Identity stores for authorization.

Like the attached screenshot, One condition checks the user in a AD group and the other Matches RSA.

Is something like this possible, Will these authorization rules check the user presence in both of the identity stores

Re: ISE Authorization with multiple Identity Stores

Sathiyanarayanan Ravindran — Sun, 24 Mar 2019 15:11:25 GMT

Hi Hsangral,

You have created a Policy with AND condition hence the lookup is happening in both AD and RSA, If you want to make either or choice do OR conditioning.

You can play with the conditions based on your requirements.

Re: ISE Authorization with multiple Identity Stores

Sathiyanarayanan Ravindran — Sun, 24 Mar 2019 15:16:01 GMT

Hi Hsangral,

You have created a Policy with AND condition hence the lookup is happening in both AD and RSA, If you want to make either or choice do OR conditioning.

You can play with the conditions based on your requirements.

Re: ISE Authorization with multiple Identity Stores

hsangral — Sun, 24 Mar 2019 16:12:21 GMT

Thanks Ravindran,

I understand that an Or condition is possible but what I Actually wanted to know is if ISE would support multiple look ups in authorization policy? Like AD then RSA?

Re: ISE Authorization with multiple Identity Stores

Aravind Ravichandran — Sun, 24 Mar 2019 16:36:08 GMT

You can do multiple lookup in authentication policy, if your ask is to login into the NAD with AD & then for enable mode it's RSA, you can achieve it with authentication policy.

create auth policy1 with tacacs service equals login and use the identity store as AD & another auth policy2 with tacacs service equals enable and use the identity store as RSA.

In this way you can achieve AD + RSA to validate login.

-Aravind

Re: ISE Authorization with multiple Identity Stores

hsangral — Sun, 24 Mar 2019 17:40:34 GMT

My question still remains, Can a authorization policy have a condition to do multiple looks ups ??

Please refer to the screen shot, Will something like this work? I am asking because these are the policies I got after ACS conjfig conversion.

I understand that we can have multiple condition in auth policies like you said but my question is regarding authorization

Re: ISE Authorization with multiple Identity Stores

bern81 — Mon, 25 Mar 2019 11:34:29 GMT

Hi,

As far as i know, you do sequnetial lookups in authentication policy not authorization policy.

In authorization policy you define that if this user if part of let's say AD group /employee then apply an authorization profile (Vlan, Dacl...), you could do many .

In authentication policy you can do sequential lookup (external identity group sequence).

Please rate if helpful

Re: ISE Authorization with multiple Identity Stores

hslai — Mon, 25 Mar 2019 12:57:06 GMT

The authorization policy rule should work. However, I would recommend to put the AD condition last so to avoid AD lookups, which usually contribute more latency, if the other conditions fail.

Re: ISE Authorization with multiple Identity Stores

hsangral — Mon, 25 Mar 2019 13:52:49 GMT

Thank you for the recommendation.

So the authorization condition would just check the presence of the user in the RSA and AD database and should work

Re: ISE Authorization with multiple Identity Stores

hslai — Mon, 25 Mar 2019 14:08:31 GMT

Yes. This is a common use case.