https://community.cisco.com/t5/network-access-control/authorization-requests-go-via-second-round-of-the-username/m-p/4271768#M564764 <P>Thanks!</P><P>&nbsp;</P><P>I got the point of the identity store looks up sequence, but l was surprised to realise that authorization involves that.</P><P>Apparently, it's expected behaviour.</P><P>&nbsp;</P><P>Thanks,</P><P>Myky</P> Wed, 13 Jan 2021 16:35:26 GMT mykys 2021-01-13T16:35:26Z https://community.cisco.com/t5/network-access-control/authorization-requests-go-via-second-round-of-the-username/m-p/4271612#M564756 <P>Hi folks,</P><P>&nbsp;</P><P>I must have missed something basics, but is it expected for ISE to validate username against its identity store for authorization requests?&nbsp;</P><P>I always was thinking that once the user is authenticated, its group membership is retrieved during that stage and can be directly used with authorization request (no need to check the same info again).&nbsp;</P><P>&nbsp;</P><P>Did l miss anything? Log entry below:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="log.PNG" style="width: 587px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/101592i1B270C6DCC324BEE/image-size/large?v=v2&amp;px=999" role="button" title="log.PNG" alt="log.PNG" /></span></P><P>Thanks,</P><P>Myky</P> Wed, 13 Jan 2021 13:33:08 GMT https://community.cisco.com/t5/network-access-control/authorization-requests-go-via-second-round-of-the-username/m-p/4271612#M564756 mykys 2021-01-13T13:33:08Z https://community.cisco.com/t5/network-access-control/authorization-requests-go-via-second-round-of-the-username/m-p/4271730#M564763 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/904904">@mykys</a></P><P>Your authentication policy seems to reference an identity source sequence where the order states that the first store to check is the internal store. You can see the order in the menu: Administration &gt; Identity Management &gt; Identity Source Sequence. There you will find a sequence with the same name as in your authentication policy. You can change the order in the sequences there or even remove a identity store from the sequence if not needed (although I recommend not to change the default sequences from ISE and instead creating a new one). But be careful with editing this, you have to consider all identities which will be processed by all the authentication rules where this sequence is used.</P><P>&nbsp;</P> Wed, 13 Jan 2021 15:52:55 GMT https://community.cisco.com/t5/network-access-control/authorization-requests-go-via-second-round-of-the-username/m-p/4271730#M564763 martin.fischer 2021-01-13T15:52:55Z https://community.cisco.com/t5/network-access-control/authorization-requests-go-via-second-round-of-the-username/m-p/4271768#M564764 <P>Thanks!</P><P>&nbsp;</P><P>I got the point of the identity store looks up sequence, but l was surprised to realise that authorization involves that.</P><P>Apparently, it's expected behaviour.</P><P>&nbsp;</P><P>Thanks,</P><P>Myky</P> Wed, 13 Jan 2021 16:35:26 GMT https://community.cisco.com/t5/network-access-control/authorization-requests-go-via-second-round-of-the-username/m-p/4271768#M564764 mykys 2021-01-13T16:35:26Z