Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1804
Views
10
Helpful
2
Replies

Authorization Requests go via second round of the username authentication

Go to solution
mykys
Level 1
Level 1

‎01-13-2021 05:33 AM

Hi folks,

 

I must have missed something basics, but is it expected for ISE to validate username against its identity store for authorization requests? 

I always was thinking that once the user is authenticated, its group membership is retrieved during that stage and can be directly used with authorization request (no need to check the same info again). 

 

Did l miss anything? Log entry below:

 

log.PNG

Thanks,

Myky

1 Accepted Solution

Accepted Solutions

Go to solution
martin.fischer
Level 1
Level 1

‎01-13-2021 07:52 AM

Hi @mykys

Your authentication policy seems to reference an identity source sequence where the order states that the first store to check is the internal store. You can see the order in the menu: Administration > Identity Management > Identity Source Sequence. There you will find a sequence with the same name as in your authentication policy. You can change the order in the sequences there or even remove a identity store from the sequence if not needed (although I recommend not to change the default sequences from ISE and instead creating a new one). But be careful with editing this, you have to consider all identities which will be processed by all the authentication rules where this sequence is used.

 

View solution in original post

2 Replies 2

Go to solution
martin.fischer
Level 1
Level 1

‎01-13-2021 07:52 AM

Hi @mykys

Your authentication policy seems to reference an identity source sequence where the order states that the first store to check is the internal store. You can see the order in the menu: Administration > Identity Management > Identity Source Sequence. There you will find a sequence with the same name as in your authentication policy. You can change the order in the sequences there or even remove a identity store from the sequence if not needed (although I recommend not to change the default sequences from ISE and instead creating a new one). But be careful with editing this, you have to consider all identities which will be processed by all the authentication rules where this sequence is used.

 

Go to solution
mykys
Level 1
Level 1
In response to martin.fischer

‎01-13-2021 08:35 AM

Thanks!

 

I got the point of the identity store looks up sequence, but l was surprised to realise that authorization involves that.

Apparently, it's expected behaviour.

 

Thanks,

Myky

0 Helpful
Customers Also Viewed These Support Documents