cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1754
Views
5
Helpful
3
Replies

Authentication Policy Dictionary Attributes for AD

VipulAgr
Level 1
Level 1

Guys,

Need some help on ISE Authentication Policy, I have integrated ISE with AD and would like to authenticate UserGroup A with Authentication Server A, while UserGroup B with Authentication Server B , means two separate user groups using two different authentication methods. I was not able to find any relevant Dictionary Attributes for calling AD groups in Authentication Policy...while I see it's present in Authorization Policy as "<Join Point Name> ExternalGroups"

 

 

serve

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

But is there any way to call out the AD Group attribute in Authentication Policy itself as part of rule matching condition. 

-AFAIK, no.  Identity group conditions are utilized within authz policies.  However, another option you could potentially rely on is the subject attribute in authc condition that matches on let's say a unique certificate field.  The trick here would be having a unique field that would differentiate your two use cases.  HTH!

View solution in original post

3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

I would suggest possibly having two separate policies, one for each.  Create two separate identity source sequences that then get assigned in the authc 'use' column.  Then within your authz conditions you will then have the ability to push policy to unique external groups for each separate server based on the following condition: <SOURCE>: ExternalGroups equals <your group>.  HTH!

Thanks Mike,

 

I'll try that , that should work. But is there any way to call out the AD Group attribute in Authentication Policy itself as part of rule matching condition. That's needed for another use-case :  We are using AD authentication and Azure MFA together for authenticating users and would like to see if user is part of a Deny group in AD..if he is,  he should be straight away denied access instead of getting the MFA call.

I was planning to call Deny AD group as condition in Authentication Policy and set authc to "DenyAccess", else user will go through whole authentication process including MFA call and at last under authorization would be denied.

 

Mike.Cifelli
VIP Alumni
VIP Alumni

But is there any way to call out the AD Group attribute in Authentication Policy itself as part of rule matching condition. 

-AFAIK, no.  Identity group conditions are utilized within authz policies.  However, another option you could potentially rely on is the subject attribute in authc condition that matches on let's say a unique certificate field.  The trick here would be having a unique field that would differentiate your two use cases.  HTH!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: