cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

151
Views
5
Helpful
5
Replies
Participant

Authentication policies order of operation with multiple join points

I just wanted to confirm the behaviour, where I have two active directory join points in ISE. If I am not using scope mode or All_AD_Join_Points in Identity Source Sequences can I have multiple authentication policies with a single AD join point?

Example, I have two authentication polices with identical condition, but each one is referencing a different join point. If the user is not found in AD-server1 in rule 802.1x AD1, will ISE move to the next rule 802.1x AD2 and check the user in AD-server2?

 

Screen Shot 2019-06-06 at 1.48.25 am.jpg

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Authentication policies order of operation with multiple join points

Yes correct, user not found - continue option is used in case of guest user with mab authentication. And for dot1x, create a identity sequence and call both the AD and select the option as move to next identity store.
-Aravind
Cisco Employee

Re: Authentication policies order of operation with multiple join points

Scope is used to have multiple join points. These join points may not be trusted. You will be using the scope in the auth policy or Identity source sequence. At that point ISE checks the join points in the scopes or Identity source sequence since it is part of the same policy, "The USER not found = Reject" does not impact as long as the join points, User stores are part of scopes or ISS.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#concept_2D3FDBAD9F50469BA09704BF409209C7

 

Thanks

Krishnan

 

 

5 REPLIES 5

Re: Authentication policies order of operation with multiple join points

No, it will check the first policy and get rejected if the user is belong to AD server 2. As you have mentioned if user not found reject.
-Aravind
Participant

Re: Authentication policies order of operation with multiple join points

Thanks for the reply. So the way around it is to use "If User not found - CONTINUE" option so the second authentication policy is checked?

 

And also using a scope with both join points or identity source sequence with each individual join point would work with REJECT option right?

 

Highlighted

Re: Authentication policies order of operation with multiple join points

If you provide condition continue it will move to the authorization policy.

 

You can create a identity source sequence for AD1 and AD2. So that if the user not found on AD1 , then it will do the look up on AD2. This will happen based on the sequence you have defined.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

Re: Authentication policies order of operation with multiple join points

Yes correct, user not found - continue option is used in case of guest user with mab authentication. And for dot1x, create a identity sequence and call both the AD and select the option as move to next identity store.
-Aravind
Cisco Employee

Re: Authentication policies order of operation with multiple join points

Scope is used to have multiple join points. These join points may not be trusted. You will be using the scope in the auth policy or Identity source sequence. At that point ISE checks the join points in the scopes or Identity source sequence since it is part of the same policy, "The USER not found = Reject" does not impact as long as the join points, User stores are part of scopes or ISS.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#concept_2D3FDBAD9F50469BA09704BF409209C7

 

Thanks

Krishnan