How can I an user(Active Directory) block on ISE server.

SENOL YILDIRIM · ‎10-09-2017

Hello Everyone,

I have ISE server, and I wanted active directory an user block or ban on ISE server. thank you for the assist

Marvin Rhoads · ‎10-10-2017

If you want to ban users from the network it would be easiest to simply create an AD group and assign them as members of that group. Then you can check for group membership as part of the Authorization policy and, if they are members, either Deny Access or redirect to a quarantine page.

Alex Pfeil · ‎12-12-2017

I am using an AD group to block access. The user account is also in another group that has access, but the order of operations has the block access first. If I authenticate to the network, it blocks me. However, if I authenticate 3 times in a row, I can get on.

If AD Group Block --> Deny Access

If AD Group Allow --> Allow Access

If Default --> Deny Access

The first 2 times, it matches AD Group Block. The third time, it matches Allow.

Any thoughts?

Marvin Rhoads · ‎12-12-2017

That sounds odd.

I would compare the detailed Authorization results from the RADIUS live logs for both the DENY and ALLOW cases to see what ISE is basing the incorrect ALLOW AuthZ result on.

Alex Pfeil · ‎12-13-2017

I checked the logs as suggested and with a little troubleshooting, I found I was authenticating to the same network on a different wireless access point. I guess I must have been seeing authentications from multiple devices when I actually though I was seeing the deny and then the allow.

Thanks,

Alex

ajc · ‎12-13-2017

I am wondering if you are using ISE 2.2 version