cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
201
Views
0
Helpful
1
Replies

Force ISE to ignore password for authorize only

PeterLMSD
Level 1
Level 1

Following on from this post: https://community.cisco.com/t5/network-security/asa-ad-ldap-authorization-belonging-to-multiple-groups/m-p/5206839

I am trying to get Authorization only for users belonging to a AD Group.

This works fine if the user is authenticating using username and password, however we also have Entra ID SAML based authentication but we want to apply a AD specific ASA group policy applied in a certain order based on the user belonging to a group or not.

Debugging this I can see the Radius Access-Request for the ASA Authorization flow is specifying the username in the Radius User-Name and User-Password. This would be trivial to solve using FreeRadius but I can't see any way to ignore the user password and not query the ISE integrated directory. If I specify the External Identity Source as the AD instance then it fails. If I set the policy to CONTINUE but in that case it has performed an LDAP Bind against AD and if I do too many logins then I will lock my account out.

What seems to work is specifying the internal user source. Then the user can't be found.

I can't see a way to use the External Identity Source without having ISE attempt to bind.