Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2283
Views
0
Helpful
3
Replies

Cisco ISE TACACS+ with RSA Securid and AD integration

Go to solution
west33637
Level 1
Level 1

‎09-26-2018 04:09 PM

 

I 'd like to use ISE with RSA AM and active directory as external Identity sources. But I would like to use RSA to authenticate users, and AD group membership to determine authorization policy. Is this possible?

 

How does this work? ISE will need to have the RSA AM configured as an external identity source in the authentication policy. where will ISE get the AD group info of the user in order to configure authorization policies against?

Does the RSA pass AD group information to ISE for the purpose of authorization?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to west33637

‎09-27-2018 07:41 AM

Nope that is now how AD authentication works. As I said authentication is separate than authorization. All the authentication phase is doing is answering the question "Are the credentials correct?". All the other look-ups happen in the authorization phase.



I am saying exactly what you summarized. RSA does pass/fail back to ISE and then in authorization ISE will do the AD look-ups.


View solution in original post

0 Helpful
3 Replies 3

Go to solution
paul
Level 10
Level 10

‎09-27-2018 05:50 AM

You don't need RSA to do anything other than say "Did the 2FA work or not?".  ISE authentication is completely separate from ISE authorization.  Define your RSA server to ISE and use it in the authentication phase to run the 2FA process.  Once the user passes the authentication phase the session continues to authorization.  In the authorization phase you can do whatever AD checks you want.

0 Helpful

Go to solution
west33637
Level 1
Level 1
In response to paul

‎09-27-2018 06:59 AM

Hello Paul. Thanks for the response. I always thought that when a user session is authenticated against AD, AD returns the AD group information with the authentication passed message - and this group information was what ISE used in the authorization policy to determine how the user is authorized.

 

In a case where RSA is doing the authentication - are you saying that ISE will receive authentication passed message from RSA, and then still query AD for the users group information? I guess my question is how will ISE know what the user's AD group info is in order to apply authorization policy against it?

 

Thanks,

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to west33637

‎09-27-2018 07:41 AM

Nope that is now how AD authentication works. As I said authentication is separate than authorization. All the authentication phase is doing is answering the question "Are the credentials correct?". All the other look-ups happen in the authorization phase.



I am saying exactly what you summarized. RSA does pass/fail back to ISE and then in authorization ISE will do the AD look-ups.


0 Helpful
Customers Also Viewed These Support Documents