https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460249#M569492 <P>Hi Muhammed,</P><P>&nbsp;</P><P>Just to confirm the continue action is added to the first rule so that if not matched will move to the second rule?</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>Andrew</P> Mon, 06 Sep 2021 08:05:03 GMT Anubis71 2021-09-06T08:05:03Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4459587#M569457 <P>Hi,&nbsp;</P><P>&nbsp;</P><P>I am wanting to configure multiple Authentication Policy rules under a policy set, allowing for different certificates authorities. There is already a policy with a certificate authority (Legacy AD Domain) configured but we need to add a new one for a new AD domain as well. If I add a another rule to the Authentication Policy and unfortunately can only place above the current rule, and it matches this rule then all good but if it doesn't does it move to the next rule automatically or do I need to configure the options to be 'continue' rather than 'reject'/'drop'?</P><P>&nbsp;</P><P>Need this during the transition stage between the AD domains.</P><P>&nbsp;</P><P>I hope this makes sense if not please ping me and I will add more information.</P><P>&nbsp;</P><P>Thanks in advance</P> Fri, 03 Sep 2021 17:10:42 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4459587#M569457 Anubis71 2021-09-03T17:10:42Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4459616#M569460 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1053315">@Anubis71</a>&nbsp;,</P><P class="lia-align-justify">&nbsp;you can have many <STRONG>Rules</STRONG> in an <STRONG>Authentication Policy</STRONG>.</P><P class="lia-align-justify">&nbsp;Each <STRONG>Rule</STRONG> has a&nbsp;<STRONG>Condition</STRONG>&nbsp;and the following <STRONG>Options</STRONG>: <STRONG>If Auth Fail</STRONG>, <STRONG>If User Not Found</STRONG> and <STRONG>If Process Fail</STRONG>.</P><P class="lia-align-justify">&nbsp;Each <STRONG>Option</STRONG> can have the following "suboptions":</P><P class="lia-align-justify">. <STRONG>Continue:&nbsp;</STRONG>jumps to <STRONG>Authorization Policy</STRONG>, <U>not to the next <STRONG>Rule</STRONG> of the <STRONG>Authentication Policy</STRONG></U>.</P><P class="lia-align-justify">. <STRONG>Reject:&nbsp;</STRONG>sends back a reject request</P><P class="lia-align-justify">. <STRONG>Drop:&nbsp;</STRONG>drop the packet.</P><P class="lia-align-justify">&nbsp;</P><P class="lia-align-justify">Note: for future reference take a look at&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_segmentation.html" target="_blank" rel="noopener">ISE Administration Guide 2.7</A>, search for <STRONG>Authentication Failures - Police Result Options</STRONG> for details of the actions: <STRONG>Continue</STRONG>, <STRONG>Reject</STRONG> and <STRONG>Drop</STRONG>.</P><P class="lia-align-justify">Hope this helps !!!</P> Mon, 06 Sep 2021 14:47:56 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4459616#M569460 Marcelo Morais 2021-09-06T14:47:56Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4459795#M569470 Hi,<BR /><BR />What I suggest is to put all actions as continue (if auth fail, if user not<BR />found, if process fail). This will ensure that users are evaluated against<BR />both ADs until your migration is completed.<BR /><BR />Otherwise, it won't move to next rule automatically.<BR /><BR />***** please remember to rate useful posts<BR /> Sat, 04 Sep 2021 06:58:06 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4459795#M569470 Mohammed al Baqari 2021-09-04T06:58:06Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460246#M569491 <P>Hi Marcelo,</P><P>&nbsp;</P><P>Thanks for the response.</P> Mon, 06 Sep 2021 07:58:49 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460246#M569491 Anubis71 2021-09-06T07:58:49Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460249#M569492 <P>Hi Muhammed,</P><P>&nbsp;</P><P>Just to confirm the continue action is added to the first rule so that if not matched will move to the second rule?</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>Andrew</P> Mon, 06 Sep 2021 08:05:03 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460249#M569492 Anubis71 2021-09-06T08:05:03Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460365#M569505 Yes, that is correct.<BR /><BR />*** please remember to rate useful posts<BR /> Mon, 06 Sep 2021 11:20:06 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460365#M569505 Mohammed al Baqari 2021-09-06T11:20:06Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460448#M569519 <P>Thanks Mohammed.</P> Mon, 06 Sep 2021 14:03:08 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460448#M569519 Anubis71 2021-09-06T14:03:08Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460609#M569543 <P>No, that is not correct. As&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/17232">@Marcelo Morais</a> states in his previous message, the CONTINUE option for 'If user not found' results in the session 'falling-through' the Authentication Policy to be evaluated in the Authorization Policy.</P> <P>This is basically bypassing Authentication for any session that matches your AuthC Policy conditions. This is a pretty big security gap for an 802.1x session, so it should only be used temporarily if needed. The 'If user found = CONTINUE' option is typically used for MAB endpoints to fall-through the AuthC policy to hit the AuthZ policy for profiling.</P> <P>With your scenario, you need to look at what conditions would be different between the sessions for your different use cases. If you have different CAs, you should have something different in the certificate that you can match on (Issuer CN, SN, etc) to create differentiated AuthC Policies. Those AuthC Policies could have different CAPs, use different Identity Source Sequences using the different AD join points, etc.</P> Tue, 07 Sep 2021 00:33:52 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460609#M569543 Greg Gibbs 2021-09-07T00:33:52Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460665#M569548 Thx <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/388087">@Greg Gibbs</a> for correcting me.<BR /> Tue, 07 Sep 2021 02:22:06 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460665#M569548 Mohammed al Baqari 2021-09-07T02:22:06Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460954#M569570 <P>Thanks&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/388087">@Greg Gibbs</a>&nbsp;that changes my AuthC policy quite a bit. Will look into this.</P><P>&nbsp;</P><P>Thanks for your help.</P> Tue, 07 Sep 2021 10:24:22 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-policy-multiple-rules-and-options/m-p/4460954#M569570 Anubis71 2021-09-07T10:24:22Z