Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1768
Views
5
Helpful
5
Replies

Authentication policies order of operation with multiple join points

Go to solution
Madura Malwatte
Level 4
Level 4

‎06-05-2019 08:57 AM

I just wanted to confirm the behaviour, where I have two active directory join points in ISE. If I am not using scope mode or All_AD_Join_Points in Identity Source Sequences can I have multiple authentication policies with a single AD join point?

Example, I have two authentication polices with identical condition, but each one is referencing a different join point. If the user is not found in AD-server1 in rule 802.1x AD1, will ISE move to the next rule 802.1x AD2 and check the user in AD-server2?

 

Screen Shot 2019-06-06 at 1.48.25 am.jpg

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Aravind Ravichandran
Level 3
Level 3
In response to Madura Malwatte

‎06-05-2019 04:33 PM

Yes correct, user not found - continue option is used in case of guest user with mab authentication. And for dot1x, create a identity sequence and call both the AD and select the option as move to next identity store.
-Aravind

View solution in original post

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎06-17-2019 05:37 PM

Scope is used to have multiple join points. These join points may not be trusted. You will be using the scope in the auth policy or Identity source sequence. At that point ISE checks the join points in the scopes or Identity source sequence since it is part of the same policy, "The USER not found = Reject" does not impact as long as the join points, User stores are part of scopes or ISS.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#concept_2D3FDBAD9F50469BA09704BF409209C7

 

Thanks

Krishnan

 

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Aravind Ravichandran
Level 3
Level 3

‎06-05-2019 09:17 AM

No, it will check the first policy and get rejected if the user is belong to AD server 2. As you have mentioned if user not found reject.
-Aravind

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Aravind Ravichandran

‎06-05-2019 09:56 AM

Thanks for the reply. So the way around it is to use "If User not found - CONTINUE" option so the second authentication policy is checked?

 

And also using a scope with both join points or identity source sequence with each individual join point would work with REJECT option right?

 

0 Helpful

Go to solution
Sathiyanarayanan Ravindran
Spotlight
Spotlight
In response to Madura Malwatte

‎06-05-2019 12:17 PM

If you provide condition continue it will move to the authorization policy.

 

You can create a identity source sequence for AD1 and AD2. So that if the user not found on AD1 , then it will do the look up on AD2. This will happen based on the sequence you have defined.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
0 Helpful

Go to solution
Aravind Ravichandran
Level 3
Level 3
In response to Madura Malwatte

‎06-05-2019 04:33 PM

Yes correct, user not found - continue option is used in case of guest user with mab authentication. And for dot1x, create a identity sequence and call both the AD and select the option as move to next identity store.
-Aravind
0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎06-17-2019 05:37 PM

Scope is used to have multiple join points. These join points may not be trusted. You will be using the scope in the auth policy or Identity source sequence. At that point ISE checks the join points in the scopes or Identity source sequence since it is part of the same policy, "The USER not found = Reject" does not impact as long as the join points, User stores are part of scopes or ISS.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#concept_2D3FDBAD9F50469BA09704BF409209C7

 

Thanks

Krishnan

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents