topic Re: ISE Authorization in Network Access Control

ISE Authorization

Mostafa.Ragab — Fri, 21 Feb 2020 18:42:19 GMT

Dears,

I have ISE server and I am using dot1x to authorize users based on LDAP group. I want to make a double layer of authorization. When the user plug the network cable to the PC the PC should be authenticated and authorized as a domain machine (Using Domain machines LDAP group) then when the user log in the PC using his domain username he should be authenticated and authorized using his domain name.

My question here, How can I force the switch to make a COA to the PC whin the user log in with his domain username and password? and what is the order of authorization rules?

Thanks in advance 🙂

Re: ISE Authorization

Francesco Molino — Tue, 26 Dec 2017 16:41:31 GMT

Hi,

CoA should be enabled globally. As soon as you log-in with username, CoA will be initiated. The order should be rules for username and after rule for machine.
To achieve that, you can use EAP-Chaining with Anyconnect or MAR (caching nethod agentless).

Re: ISE Authorization

Mohammed al Baqari — Tue, 26 Dec 2017 17:14:39 GMT

With windows builtin supplicant I have seen coa not being sent many times.
Best option is to use anyconnect nam