https://community.cisco.com/t5/network-access-control/ise-authorization-when-using-proxy-radius-for-authentication/m-p/3556383#M518839 <HTML><HEAD></HEAD><BODY><P>How are you driving the authentication to your Proxy RADIUS server vs. AD?&nbsp; It looks like you have Wired_802.1x in both lines.</P><P></P><P>Are the proxy RADIUS usernames also in AD?&nbsp; If not you simply could add an AD group criteria to your authorization rules for the AD users.&nbsp; The proxy RADIUS users wouldn't pass that criteria.</P><P></P><P>Also the Network Access-&gt;AuthenticationIdentityStore condition may tell you what you need as well.</P></BODY></HTML> Fri, 05 Jan 2018 14:44:56 GMT paul 2018-01-05T14:44:56Z https://community.cisco.com/t5/network-access-control/ise-authorization-when-using-proxy-radius-for-authentication/m-p/3556382#M518837 <HTML><HEAD></HEAD><BODY><P>Hi All, </P><P></P><P>I am trying to develop a policy that will allow me to apply ISE Authorization when using a proxy RADIUS server</P><P></P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;">I believe I have the authentication part sussed. I.E if: wired 802.1x Use proxy Service: &lt;external identity sequence&gt; </P><P></P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;">The difficult I am having is matching this with a condition on the Authorization policy. For example, I would like the authorisation policy to say something along the lines of:</P><P></P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;">If: Proxy RADIUS state is active -&nbsp; Then: &lt;Permissions&gt;</P><P></P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;">or</P><P></P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;">If: Proxy Radius authentication successful - Then: &lt;permissions&gt;</P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;"></P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;">I need this match as I am trying to authenticate 2 different groups of users using 802.1x via two different authentication methods (external RADIUS server and AD)</P><P></P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;">Do you have any ideas as to which conditions could be used to achieve this? below image included to try and demonstrate what I am trying to achieve:</P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;"></P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;"><IMG alt="ProxyRadiusAuthorization.png" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/114428_ProxyRadiusAuthorization.png" style="height: 183px; width: 620px;" /></P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;"></P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;">Many Thanks in advance</P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;"></P><P style="font-size: 12px; font-family: arial; color: #3d3d3d;">Paul </P></BODY></HTML> Thu, 04 Jan 2018 16:26:48 GMT https://community.cisco.com/t5/network-access-control/ise-authorization-when-using-proxy-radius-for-authentication/m-p/3556382#M518837 cs_macker 2018-01-04T16:26:48Z https://community.cisco.com/t5/network-access-control/ise-authorization-when-using-proxy-radius-for-authentication/m-p/3556383#M518839 <HTML><HEAD></HEAD><BODY><P>How are you driving the authentication to your Proxy RADIUS server vs. AD?&nbsp; It looks like you have Wired_802.1x in both lines.</P><P></P><P>Are the proxy RADIUS usernames also in AD?&nbsp; If not you simply could add an AD group criteria to your authorization rules for the AD users.&nbsp; The proxy RADIUS users wouldn't pass that criteria.</P><P></P><P>Also the Network Access-&gt;AuthenticationIdentityStore condition may tell you what you need as well.</P></BODY></HTML> Fri, 05 Jan 2018 14:44:56 GMT https://community.cisco.com/t5/network-access-control/ise-authorization-when-using-proxy-radius-for-authentication/m-p/3556383#M518839 paul 2018-01-05T14:44:56Z