topic Re: ISE : How to differentiate between AD Users AD and proxy radius us in Network Access Control

ISE : How to differentiate between AD Users AD and proxy radius users

Ditter — Wed, 17 May 2023 10:32:41 GMT

Hi to all,

i am looking of a way to differentiate between two kind of dot1x users:

1. Users that have to go through AD which is correctly configured as identity source in ISE and this rule is the only active rule in policy sets

and

2. Users that go through proxy radius which also work correctly when this rule is the only active in policy sets

But when i activate both rules, the proxy radius based users fail to authenticate when the AD rule is configured firstly and the same is true when the proxy radius rule is configured firstly then the AD users fail.

The problem as i see it is because the condition in the Policy sets is the same that is : Normalised Radius Flow Type EQUALS wired802_1x.

Any ideas how could i differentiate between these two flows (AD flow and Proxy radius flow)?

Thanks,

Ditter

Re: ISE : How to differentiate between AD Users AD and proxy radius us

Greg Gibbs — Wed, 17 May 2023 22:27:04 GMT

This sounds similar to the Eduroam use case example found here:

https://community.cisco.com/t5/security-knowledge-base/configuring-eduroam-on-cisco-identity-services-engine-ise/ta-p/3655672

You would need the username presented to ISE to differentiate between users in your realm (authenticated by your AD) versus users in another realm (proxied). Your Policy Set matching conditions would be based on those attributes.

Re: ISE : How to differentiate between AD Users AD and proxy radius us

Ditter — Fri, 19 May 2023 08:24:34 GMT

Thanks for the document. I added an AND statement in the two conditions to differentiate between users , something like the following:

Normalised Radius Flow TYpe AND Radius User-Name contains (or NOT contains) the realm i want in order to send some users to proxy radius and some others in the Active Directory.

It seems that it is working in a way.

Ditter