Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3864
Views
0
Helpful
6
Replies

Cisco ISE Policy Set - how to authenticate VPN users against different user databases

Go to solution
josephqiu
Level 1
Level 1

‎08-16-2019 12:21 PM - edited ‎02-21-2020 11:08 AM

We use ISE/Radius to authenticate AnyConnect VPN users. Currently all users are in the ISE internal database, and the policy is easy: From the VPN firewall using Radius protocol, authentication will go to internal database. Now we would like to migrate to AD as external identity store. However, not all users will be AD ready when we go live. I have been looking for a solution that will support multiple authentication policies under the existing policy set: Authentication policy 1: user who has AD account, authenticate using AD Authentication policy 2: user who doesn't have AD account (or anyone else), go to internal database The challenge is how to differentiate the authentication request on ISE. The authentication requests all come from the same VPN firewall. I could have been able to create separate URI's for AD and non-AD users, if we had a TACACS license on the ISE. Unfortunately I can only do Radius with the ISE for all users. Any suggestion what else could be done to split the authentication policy for different identity stores in my case? Thanks.
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎08-18-2019 09:31 PM

Hi

Not sure i understand. Let me recap just to make sure.
All your vpn user accounts are in ise database. You want to migrate some of them to be authenticated through AD and some still on ise database. Those migrate to AD won't have anymore any local ise account.
Am i right?

If so, on your policy set, you can use an identity source sequence referencing your AD and ise internal users.
Then on your authorization, you can tell if member of local ise group or AD group then you push the right vpn authorization profile.

If my understanding is wrong, can you clarify a bit please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-19-2019 06:19 AM

You should be able to accomplish what you are searching for by utilizing an identity source sequence that checks your external source (AD) and internal users (ISE DB) to find your user and authenticate them. Administration->Identity Management->Identity Source Sequences. Then in your authc policy use this identity source sequence. Good luck & HTH!

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎08-18-2019 09:31 PM

Hi

Not sure i understand. Let me recap just to make sure.
All your vpn user accounts are in ise database. You want to migrate some of them to be authenticated through AD and some still on ise database. Those migrate to AD won't have anymore any local ise account.
Am i right?

If so, on your policy set, you can use an identity source sequence referencing your AD and ise internal users.
Then on your authorization, you can tell if member of local ise group or AD group then you push the right vpn authorization profile.

If my understanding is wrong, can you clarify a bit please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
josephqiu
Level 1
Level 1
In response to Francesco Molino

‎08-19-2019 10:17 AM

Hi Francesco Thank you for your reply. Your understanding is partially correct. Yes, we are moving users from internal database to AD, but we didn't plan to remove their IDs from internal database, due to the amount of work during the cut-over. However, it sounds like identity store sequence is the only option to go with in my situation. So I may have to considering removing the IDs from internal database, and re-design my policy set. Will give it a try and update! Thanks. Joseph
0 Helpful

Go to solution
josephqiu
Level 1
Level 1
In response to Francesco Molino

‎08-19-2019 12:11 PM

Tested and it works as what I needed! Much appreciated!
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-19-2019 06:19 AM

You should be able to accomplish what you are searching for by utilizing an identity source sequence that checks your external source (AD) and internal users (ISE DB) to find your user and authenticate them. Administration->Identity Management->Identity Source Sequences. Then in your authc policy use this identity source sequence. Good luck & HTH!
0 Helpful

Go to solution
josephqiu
Level 1
Level 1
In response to Mike.Cifelli

‎08-19-2019 10:20 AM

Hi Mike Thank you as well for the help! As I said to Francesco, who provided the same solution, I'm going to give it a try in a testing system and update the post. Joseph
0 Helpful

Go to solution
josephqiu
Level 1
Level 1
In response to Mike.Cifelli

‎08-19-2019 12:14 PM

Mike, after a few tweaks with advanced options and authorization policies, your suggestion is now working as expected on my testing lab. Thank you as well for your input! Appreciated!
0 Helpful
Customers Also Viewed These Support Documents
li.common.scroll-to.top