01-13-2021 05:33 AM
Hi folks,
I must have missed something basics, but is it expected for ISE to validate username against its identity store for authorization requests?
I always was thinking that once the user is authenticated, its group membership is retrieved during that stage and can be directly used with authorization request (no need to check the same info again).
Did l miss anything? Log entry below:
Thanks,
Myky
Solved! Go to Solution.
01-13-2021 07:52 AM
Hi @mykys
Your authentication policy seems to reference an identity source sequence where the order states that the first store to check is the internal store. You can see the order in the menu: Administration > Identity Management > Identity Source Sequence. There you will find a sequence with the same name as in your authentication policy. You can change the order in the sequences there or even remove a identity store from the sequence if not needed (although I recommend not to change the default sequences from ISE and instead creating a new one). But be careful with editing this, you have to consider all identities which will be processed by all the authentication rules where this sequence is used.
01-13-2021 07:52 AM
Hi @mykys
Your authentication policy seems to reference an identity source sequence where the order states that the first store to check is the internal store. You can see the order in the menu: Administration > Identity Management > Identity Source Sequence. There you will find a sequence with the same name as in your authentication policy. You can change the order in the sequences there or even remove a identity store from the sequence if not needed (although I recommend not to change the default sequences from ISE and instead creating a new one). But be careful with editing this, you have to consider all identities which will be processed by all the authentication rules where this sequence is used.
01-13-2021 08:35 AM
Thanks!
I got the point of the identity store looks up sequence, but l was surprised to realise that authorization involves that.
Apparently, it's expected behaviour.
Thanks,
Myky
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide