Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1892
Views
5
Helpful
3
Replies

Authentication Policy Dictionary Attributes for AD

Go to solution
VipulAgr
Level 1
Level 1

‎02-26-2021 03:44 AM

Guys,

Need some help on ISE Authentication Policy, I have integrated ISE with AD and would like to authenticate UserGroup A with Authentication Server A, while UserGroup B with Authentication Server B , means two separate user groups using two different authentication methods. I was not able to find any relevant Dictionary Attributes for calling AD groups in Authentication Policy...while I see it's present in Authorization Policy as "<Join Point Name> ExternalGroups"

 

 

serve

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-26-2021 10:08 AM

But is there any way to call out the AD Group attribute in Authentication Policy itself as part of rule matching condition. 

-AFAIK, no.  Identity group conditions are utilized within authz policies.  However, another option you could potentially rely on is the subject attribute in authc condition that matches on let's say a unique certificate field.  The trick here would be having a unique field that would differentiate your two use cases.  HTH!

View solution in original post

3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-26-2021 04:25 AM

I would suggest possibly having two separate policies, one for each.  Create two separate identity source sequences that then get assigned in the authc 'use' column.  Then within your authz conditions you will then have the ability to push policy to unique external groups for each separate server based on the following condition: <SOURCE>: ExternalGroups equals <your group>.  HTH!

0 Helpful

Go to solution
VipulAgr
Level 1
Level 1
In response to Mike.Cifelli

‎02-26-2021 06:16 AM

Thanks Mike,

 

I'll try that , that should work. But is there any way to call out the AD Group attribute in Authentication Policy itself as part of rule matching condition. That's needed for another use-case :  We are using AD authentication and Azure MFA together for authenticating users and would like to see if user is part of a Deny group in AD..if he is,  he should be straight away denied access instead of getting the MFA call.

I was planning to call Deny AD group as condition in Authentication Policy and set authc to "DenyAccess", else user will go through whole authentication process including MFA call and at last under authorization would be denied.

 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-26-2021 10:08 AM

But is there any way to call out the AD Group attribute in Authentication Policy itself as part of rule matching condition. 

-AFAIK, no.  Identity group conditions are utilized within authz policies.  However, another option you could potentially rely on is the subject attribute in authc condition that matches on let's say a unique certificate field.  The trick here would be having a unique field that would differentiate your two use cases.  HTH!

Customers Also Viewed These Support Documents