- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2019 05:46 AM
Both RSA and AD are setup as external identities. RSA is also using AD as identity store. So effectively all accounts are present in both ext. ID stores. What I’m trying is to set my policy so that when I use an account that ends “_a” it requires to use RSA 2/fa. All other accounts in that match specific security group just get in with read only.
Is there a way to match “_a” accounts to be authenticated against certain ext ID store, RSA in my case? I’ve tried with “contains” and “end with” in the policy but doesn’t seem to make a difference and it simply doesn’t want to match.
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2019 09:09 PM
Adding to what rubenvankomen suggested...
Below is an example of T+ policy sets similar to what you asked for and I tested working:
Two policy sets: One with TACACS.User endsWith 1 and the other is default.
The Username ends with 1 Policy set uses MFA (e.g. DuoRADIUS)
The default policy set uses AD to auth the users.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2019 10:26 AM
As you described, you can match an attribute to a value in the authentication policy to make sure that certain users use a specific Identity Store or Identity Store Sequence. Can you please confirm that you are using the Device Administration Policy set (Work Centers > Device Administration > Device Admin Policy Sets) and not the Network Acces Policy set for TACACS+ Device Administration?
If you are using the correct Policy set, can you provide a screenshot of the condition?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2019 09:09 PM
Adding to what rubenvankomen suggested...
Below is an example of T+ policy sets similar to what you asked for and I tested working:
Two policy sets: One with TACACS.User endsWith 1 and the other is default.
The Username ends with 1 Policy set uses MFA (e.g. DuoRADIUS)
The default policy set uses AD to auth the users.
