01-14-2022 09:22 AM
Hello Team,
I've trying to configure the authentication of users checking multiple policies on the 'Policy Sets' but no success, I mean, I want to know if the ISE is able to follow the next flow:
USER -> Policy 1 - NOT FOUND -> Policy 2 - NOT FOUND -> Policy 3 - NOT FOUND -> Policy 4 FOUND!! Access granted!
Thanks in advance.
Solved! Go to Solution.
01-17-2022 01:46 PM
When a session matches the conditions for a Policy Set, it will be evaluated only by the AuthC and AuthZ Policies within that Policy Set. There is no 'implicit deny' on the AuthC/AuthZ Policies. You can configure either a Permit (ACCESS_ACCEPT) or Deny (ACCESS_REJECT) for the Default AuthC/AuthZ Policies within a Policy Set, but the session will never continue past that Default AuthC/AuthZ policy. The ISE policy flow cannot be configured such that one Policy Set is evaluated and if no match, continue to a different Policy Set.
You will need to re-evaluate what you are trying to accomplish and look at possibly collapsing your Policy Sets and maybe using some sort of Identity Source Sequence.
01-14-2022 09:33 AM
Use an Identity Source Sequence to accomplish this.
01-14-2022 11:26 AM
I think in my design its not possible to implement through this feature, is there any alternative?
01-15-2022 05:16 PM
Are you using multiple Policy Sets or only the Default Policy Set?
The ISE LiveLog Details will show you what identity store it tried to authenticate against and what it matched for the Authorization Rule (Policy Set > Authorization Rule). The LiveLog will show you the Authorization Profile it assigned from your Authz Rule, too.
I just did an ISE for the Zero Trust Workplace webinar last week and performed a demo of an authentication and showed how you can see the matching policy in the LiveLog. It will be posted to our CiscoISE YouTube Channel this next week.
01-17-2022 06:53 AM
Hi Thomas,
Yeah, Im using multiple policy sets in my ocnfiguration, basically the problem is, there is a implicit Deny on each policy, this avoid to check the next policy, so, when I try to log in whtn the user 3(which is under policy 3) the ISE only checks the Policy 1, therefore the access is denied, because the user does not exist in policy 1
01-17-2022 01:46 PM
When a session matches the conditions for a Policy Set, it will be evaluated only by the AuthC and AuthZ Policies within that Policy Set. There is no 'implicit deny' on the AuthC/AuthZ Policies. You can configure either a Permit (ACCESS_ACCEPT) or Deny (ACCESS_REJECT) for the Default AuthC/AuthZ Policies within a Policy Set, but the session will never continue past that Default AuthC/AuthZ policy. The ISE policy flow cannot be configured such that one Policy Set is evaluated and if no match, continue to a different Policy Set.
You will need to re-evaluate what you are trying to accomplish and look at possibly collapsing your Policy Sets and maybe using some sort of Identity Source Sequence.
01-17-2022 03:57 PM
thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide