Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1865
Views
20
Helpful
6
Replies

Authentication checking multiple policies Cisco ISE

Go to solution
victormanuelsolis
Level 1
Level 1

‎01-14-2022 09:22 AM

Hello Team,

 

I've trying to configure the authentication of users checking multiple policies on the 'Policy Sets' but no success, I mean, I want to know if the ISE is able to follow the next flow:

 

USER -> Policy 1 - NOT FOUND -> Policy 2 - NOT FOUND -> Policy 3 - NOT FOUND -> Policy 4 FOUND!! Access granted!

 

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to victormanuelsolis

‎01-17-2022 01:46 PM

When a session matches the conditions for a Policy Set, it will be evaluated only by the AuthC and AuthZ Policies within that Policy Set. There is no 'implicit deny' on the AuthC/AuthZ Policies. You can configure either a Permit (ACCESS_ACCEPT) or Deny (ACCESS_REJECT) for the Default AuthC/AuthZ Policies within a Policy Set, but the session will never continue past that Default AuthC/AuthZ policy. The ISE policy flow cannot be configured such that one Policy Set is evaluated and if no match, continue to a different Policy Set.

You will need to re-evaluate what you are trying to accomplish and look at possibly collapsing your Policy Sets and maybe using some sort of Identity Source Sequence.

View solution in original post

6 Replies 6

Go to solution
ericsmi
Level 1
Level 1

‎01-14-2022 09:33 AM

Use an Identity Source Sequence to accomplish this.

0 Helpful

Go to solution
victormanuelsolis
Level 1
Level 1
In response to ericsmi

‎01-14-2022 11:26 AM

I think in my design its not possible to implement through this feature, is there any alternative?

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎01-15-2022 05:16 PM

Are you using multiple Policy Sets or only the Default Policy Set?

The ISE LiveLog Details will show you what identity store it tried to authenticate against and what it matched for the Authorization Rule (Policy Set > Authorization Rule). The LiveLog  will show you the Authorization Profile it assigned from your Authz Rule, too.

I just did an ISE for the Zero Trust Workplace webinar last week and performed a demo of an authentication and showed how you can see the matching policy in the LiveLog.  It will be posted to our CiscoISE YouTube Channel this next week.

0 Helpful

Go to solution
victormanuelsolis
Level 1
Level 1
In response to thomas

‎01-17-2022 06:53 AM

Hi Thomas,

 

Yeah, Im using multiple policy sets in my ocnfiguration, basically the problem is, there is a implicit Deny on each policy, this avoid to check the next policy, so, when I try to log in whtn the user 3(which is under policy 3) the ISE only checks the Policy 1, therefore the access is denied, because the user does not exist in policy 1

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to victormanuelsolis

‎01-17-2022 01:46 PM

When a session matches the conditions for a Policy Set, it will be evaluated only by the AuthC and AuthZ Policies within that Policy Set. There is no 'implicit deny' on the AuthC/AuthZ Policies. You can configure either a Permit (ACCESS_ACCEPT) or Deny (ACCESS_REJECT) for the Default AuthC/AuthZ Policies within a Policy Set, but the session will never continue past that Default AuthC/AuthZ policy. The ISE policy flow cannot be configured such that one Policy Set is evaluated and if no match, continue to a different Policy Set.

You will need to re-evaluate what you are trying to accomplish and look at possibly collapsing your Policy Sets and maybe using some sort of Identity Source Sequence.

Customers Also Viewed These Support Documents