cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1720
Views
0
Helpful
6
Replies

Cisco ISE Policy Set - how to authenticate VPN users against different user databases

josephqiu
Beginner
Beginner
We use ISE/Radius to authenticate AnyConnect VPN users. Currently all users are in the ISE internal database, and the policy is easy: From the VPN firewall using Radius protocol, authentication will go to internal database. Now we would like to migrate to AD as external identity store. However, not all users will be AD ready when we go live. I have been looking for a solution that will support multiple authentication policies under the existing policy set: Authentication policy 1: user who has AD account, authenticate using AD Authentication policy 2: user who doesn't have AD account (or anyone else), go to internal database The challenge is how to differentiate the authentication request on ISE. The authentication requests all come from the same VPN firewall. I could have been able to create separate URI's for AD and non-AD users, if we had a TACACS license on the ISE. Unfortunately I can only do Radius with the ISE for all users. Any suggestion what else could be done to split the authentication policy for different identity stores in my case? Thanks.
2 Accepted Solutions

Accepted Solutions

Hi

Not sure i understand. Let me recap just to make sure.
All your vpn user accounts are in ise database. You want to migrate some of them to be authenticated through AD and some still on ise database. Those migrate to AD won't have anymore any local ise account.
Am i right?

If so, on your policy set, you can use an identity source sequence referencing your AD and ise internal users.
Then on your authorization, you can tell if member of local ise group or AD group then you push the right vpn authorization profile.

If my understanding is wrong, can you clarify a bit please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Mike.Cifelli
Advisor
Advisor
You should be able to accomplish what you are searching for by utilizing an identity source sequence that checks your external source (AD) and internal users (ISE DB) to find your user and authenticate them. Administration->Identity Management->Identity Source Sequences. Then in your authc policy use this identity source sequence. Good luck & HTH!

View solution in original post

6 Replies 6

Hi

Not sure i understand. Let me recap just to make sure.
All your vpn user accounts are in ise database. You want to migrate some of them to be authenticated through AD and some still on ise database. Those migrate to AD won't have anymore any local ise account.
Am i right?

If so, on your policy set, you can use an identity source sequence referencing your AD and ise internal users.
Then on your authorization, you can tell if member of local ise group or AD group then you push the right vpn authorization profile.

If my understanding is wrong, can you clarify a bit please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco Thank you for your reply. Your understanding is partially correct. Yes, we are moving users from internal database to AD, but we didn't plan to remove their IDs from internal database, due to the amount of work during the cut-over. However, it sounds like identity store sequence is the only option to go with in my situation. So I may have to considering removing the IDs from internal database, and re-design my policy set. Will give it a try and update! Thanks. Joseph

Tested and it works as what I needed! Much appreciated!

Mike.Cifelli
Advisor
Advisor
You should be able to accomplish what you are searching for by utilizing an identity source sequence that checks your external source (AD) and internal users (ISE DB) to find your user and authenticate them. Administration->Identity Management->Identity Source Sequences. Then in your authc policy use this identity source sequence. Good luck & HTH!

Hi Mike Thank you as well for the help! As I said to Francesco, who provided the same solution, I'm going to give it a try in a testing system and update the post. Joseph

Mike, after a few tweaks with advanced options and authorization policies, your suggestion is now working as expected on my testing lab. Thank you as well for your input! Appreciated!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers