cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
190
Views
0
Helpful
1
Replies

Force ISE to ignore password for authorize only

PeterLMSD
Level 1
Level 1

Following on from this post: https://community.cisco.com/t5/network-security/asa-ad-ldap-authorization-belonging-to-multiple-groups/m-p/5206839

I am trying to get Authorization only for users belonging to a AD Group.

This works fine if the user is authenticating using username and password, however we also have Entra ID SAML based authentication but we want to apply a AD specific ASA group policy applied in a certain order based on the user belonging to a group or not.

Debugging this I can see the Radius Access-Request for the ASA Authorization flow is specifying the username in the Radius User-Name and User-Password. This would be trivial to solve using FreeRadius but I can't see any way to ignore the user password and not query the ISE integrated directory. If I specify the External Identity Source as the AD instance then it fails. If I set the policy to CONTINUE but in that case it has performed an LDAP Bind against AD and if I do too many logins then I will lock my account out.

What seems to work is specifying the internal user source. Then the user can't be found.

I can't see a way to use the External Identity Source without having ISE attempt to bind.

1 Accepted Solution

Accepted Solutions

PeterLMSD
Level 1
Level 1

I have found and solved my own problem. But it needs to be fixed on the client side in the ASA rather than being able to be fixed in ISE.

Also in this post: https://community.cisco.com/t5/network-access-control/best-way-to-integrate-asa-ise-azure-ad-for-mfa/td-p/4043708

Once I ticked the box on the ASA and configured ISE with the correct rule everything worked.

View solution in original post

1 Reply 1

PeterLMSD
Level 1
Level 1

I have found and solved my own problem. But it needs to be fixed on the client side in the ASA rather than being able to be fixed in ISE.

Also in this post: https://community.cisco.com/t5/network-access-control/best-way-to-integrate-asa-ise-azure-ad-for-mfa/td-p/4043708

Once I ticked the box on the ASA and configured ISE with the correct rule everything worked.