cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

179
Views
0
Helpful
6
Replies
Beginner

Cisco ISE Policy Set - how to authenticate VPN users against different user databases

We use ISE/Radius to authenticate AnyConnect VPN users. Currently all users are in the ISE internal database, and the policy is easy: From the VPN firewall using Radius protocol, authentication will go to internal database. Now we would like to migrate to AD as external identity store. However, not all users will be AD ready when we go live. I have been looking for a solution that will support multiple authentication policies under the existing policy set: Authentication policy 1: user who has AD account, authenticate using AD Authentication policy 2: user who doesn't have AD account (or anyone else), go to internal database The challenge is how to differentiate the authentication request on ISE. The authentication requests all come from the same VPN firewall. I could have been able to create separate URI's for AD and non-AD users, if we had a TACACS license on the ISE. Unfortunately I can only do Radius with the ISE for all users. Any suggestion what else could be done to split the authentication policy for different identity stores in my case? Thanks.
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor

Re: Cisco ISE Policy Set - how to authenticate VPN users against different user databases

Hi

Not sure i understand. Let me recap just to make sure.
All your vpn user accounts are in ise database. You want to migrate some of them to be authenticated through AD and some still on ise database. Those migrate to AD won't have anymore any local ise account.
Am i right?

If so, on your policy set, you can use an identity source sequence referencing your AD and ise internal users.
Then on your authorization, you can tell if member of local ise group or AD group then you push the right vpn authorization profile.

If my understanding is wrong, can you clarify a bit please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Rising star

Re: Cisco ISE Policy Set - how to authenticate VPN users against different user databases

You should be able to accomplish what you are searching for by utilizing an identity source sequence that checks your external source (AD) and internal users (ISE DB) to find your user and authenticate them. Administration->Identity Management->Identity Source Sequences. Then in your authc policy use this identity source sequence. Good luck & HTH!
6 REPLIES 6
Highlighted
VIP Advisor

Re: Cisco ISE Policy Set - how to authenticate VPN users against different user databases

Hi

Not sure i understand. Let me recap just to make sure.
All your vpn user accounts are in ise database. You want to migrate some of them to be authenticated through AD and some still on ise database. Those migrate to AD won't have anymore any local ise account.
Am i right?

If so, on your policy set, you can use an identity source sequence referencing your AD and ise internal users.
Then on your authorization, you can tell if member of local ise group or AD group then you push the right vpn authorization profile.

If my understanding is wrong, can you clarify a bit please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Re: Cisco ISE Policy Set - how to authenticate VPN users against different user databases

Hi Francesco Thank you for your reply. Your understanding is partially correct. Yes, we are moving users from internal database to AD, but we didn't plan to remove their IDs from internal database, due to the amount of work during the cut-over. However, it sounds like identity store sequence is the only option to go with in my situation. So I may have to considering removing the IDs from internal database, and re-design my policy set. Will give it a try and update! Thanks. Joseph
Beginner

Re: Cisco ISE Policy Set - how to authenticate VPN users against different user databases

Tested and it works as what I needed! Much appreciated!
Rising star

Re: Cisco ISE Policy Set - how to authenticate VPN users against different user databases

You should be able to accomplish what you are searching for by utilizing an identity source sequence that checks your external source (AD) and internal users (ISE DB) to find your user and authenticate them. Administration->Identity Management->Identity Source Sequences. Then in your authc policy use this identity source sequence. Good luck & HTH!
Beginner

Re: Cisco ISE Policy Set - how to authenticate VPN users against different user databases

Hi Mike Thank you as well for the help! As I said to Francesco, who provided the same solution, I'm going to give it a try in a testing system and update the post. Joseph
Beginner

Re: Cisco ISE Policy Set - how to authenticate VPN users against different user databases

Mike, after a few tweaks with advanced options and authorization policies, your suggestion is now working as expected on my testing lab. Thank you as well for your input! Appreciated!