Solved: Re: Authentication Policy is not checking Next One

shrijan · ‎10-07-2021

Hello Everyone,

I have two SSID one for AD account as "Employee" and another for non AD account as "GUEST".

What I am trying to do is GUEST account is not supposed to access Employee and Employee not supposed to access GUEST account.

I have created two Authentication Policies for both. Such that i can identity which ssid is authenticated from which Authentication Policy.

So, first come first.

For AD Store i have put only AD account and internal users in the list NOT GUEST users (Created from Sponsor Portal).

And For GUEST Store i have put only Guest account NOT AD users.

And in the authentication priority list in Policy List I have put GUEST authentication first and Employee Authentication at Second.

So if the AD user tries to connect then first it checks the GUEST authentication store where AD account is not added and once it is not able to connect through this Policy then it should check second Employee Authentication Policy, isn't it?

But here the problem is it does not check the second Employee Authentication Policy and just check the first one and says user is not found in Identity Store of GUEST (which is obvious that there is no AD account in the list) .

So Authentication Policy is not shifting from first to the second.

Any idea?

Also to make it move or check to another store "Treat as if the user was not found and proceed to the next store in the sequence", this needs to be enabled or checked, isn't it? If yes then i have checked this one also. But still it does not move to second policy.

Thanks.

Regards,

Shrijan

ComputerRick · ‎10-07-2021

ISE will only process the FIRST Authentication or Authorization policy that matches the conditions, so it will never get to the second from the first. Since you're using separate wireless SSIDs for both Guest and AD users, then you should create a condition with SSID equals for Guest on the authentication and SSID equal Employee on another policy.

I would actually suggest creating a new policy set for wireless guests and one for wireless employees so that they don't overlap and you could isolate that traffic from your business data with dACLs.

The best practice would be to use any ISE internal accounts first, as it's much faster and not dependent on an external ID store.

HTH, Please mark this as the solution if it answers your question.

View solution in original post

ComputerRick · ‎10-08-2021

Here's what I would do:

1) Go through the steps in the authentication details and look for each ID store query and result. If you don't see all 3 ID stores, then where did it fail to query? Does it have any info about the AD lookup or show any failures?

2) Confirm the ID Source Sequence that you've created, ensure that it shows all 3 and that the option at the bottom for "Advanced Search List Settings" is set to "Treat as if the user was not found". If the AD is not accessible and this is set to "Do not access", it could also be your issue.

3) Enable debugs on ISE for dot1x, test again, and look in the relevant logs

a) https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html

For the original question, please mark my first response as the solution. I'm happy to continue assisting you here.

View solution in original post

ComputerRick · ‎10-07-2021

ISE will only process the FIRST Authentication or Authorization policy that matches the conditions, so it will never get to the second from the first. Since you're using separate wireless SSIDs for both Guest and AD users, then you should create a condition with SSID equals for Guest on the authentication and SSID equal Employee on another policy.

I would actually suggest creating a new policy set for wireless guests and one for wireless employees so that they don't overlap and you could isolate that traffic from your business data with dACLs.

The best practice would be to use any ISE internal accounts first, as it's much faster and not dependent on an external ID store.

HTH, Please mark this as the solution if it answers your question.

shrijan · ‎10-08-2021

Hi @ComputerRick

Thank you for the advice. With two separate ssids in policy sets worked very well..

I have one more query which is not working.

Below are my Authentication and Authorization Policies

Any clue?

Thanks.

Regards,

shrijan

ComputerRick · ‎10-08-2021

Here's what I would do:

1) Go through the steps in the authentication details and look for each ID store query and result. If you don't see all 3 ID stores, then where did it fail to query? Does it have any info about the AD lookup or show any failures?

2) Confirm the ID Source Sequence that you've created, ensure that it shows all 3 and that the option at the bottom for "Advanced Search List Settings" is set to "Treat as if the user was not found". If the AD is not accessible and this is set to "Do not access", it could also be your issue.

3) Enable debugs on ISE for dot1x, test again, and look in the relevant logs

a) https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html

For the original question, please mark my first response as the solution. I'm happy to continue assisting you here.

shrijan · ‎10-09-2021

Hi @ComputerRick

You are absolutely right. I created Identity store for Guest account as Guest_Users. And in authentication policy i selected Guest User which was default one. So obviously after i selected Guest_Users it worked very well.

Really appreciated for your advice.

Regards,

shrijan