ISE 1.0.4 - identity Sequence refuses to use AD after RSA

Chris Evans · ‎01-25-2012

We are running ISE 1.0.4 with a requirement that on the surface is simple, but fails to execute properly no matter how I tweak it it. It is:

VPN users either need to be within a certain AD group or

They need to authenticate against RSA.

I set authentication to use an identitysequence with RSA listed first, then AD second.

I set authorization to check identity server (using network access:AuthenticationIdentityStore).

- If it’s RSA, pass it.

- If it’s Active directory, AND the condition with a check on that group membership. Pass if both pass.

- Set the default authorization rule to deny access.

This should work. Here’s where it breaks down. It all stems from the fact that the same userIds exist in RSA and AD and that ISE steadfastly refuses to attempt the second identity server method listed in the sequence if RSA is listed first.

•- If I list RSA first and the “authentication failed” policy is set to Reject:
- For users not in RSA that I want to authenticate against AD, it rejects – it attempts against RSA but never hits AD (second server listed in the Identity sequence). This is what is broken
- This works for users in RSA
•- If I list the RSA server first and the “authentication failed” policy is set to continue
- Users not in RSA will pass authentication that shouldn’t because the network access:AuthenticationIdentityStore value will be pointing to the RSA server, regardless of whether they actually passed to that server or not.
- Effectively users can connect regardless of whether their password is right or not
- This option sets it to proceed from authentication to authorization
•- If I list AD first in the sequence
- Since the same ID exists in both AD and RSA, it’ll fail as bad password against AD. It'll never attempt against RSA.

Am I missing a simple fix for this? I have a testbed in which I can simulate the issue but since I don’t have an RSA server handy, I’m using an identity sequence with AD and fallback to internal. It works as I’d expect, falling back from AD to local if the user doesn't exist in AD. If the user is in AD, it never tries local and shows the attempt as a bad password.

darren-lacasse · ‎10-04-2012

Chris,

Did you ever come across a resolution for this? I have the same issue with ISE 1.0.4 .

Thanks

jrabinow · ‎10-09-2012

There is a configuration option on the RSA server definition (Authentication Control options)

This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted for Identity Policy processing and reporting .

	Treat Rejects as 'authentication failed'
	Treat Rejects as 'user not found'

If RSA is first server in sequence it will only continue to the next server if follwoing option is select "Treat Rejects as 'user not found'

In addition you had a comment about the value of "network access:AuthenticationIdentityStore" attribute. This will contain the name of the last ID store that was checked. If want to ensure that the authentication did in fact succeed should also check the following:

"Network Access:AuthenticationStatus EQUALS AuthenticationPassed"

darren-lacasse · ‎10-09-2012

Thanks. I did stumble upon this exact solution (through trial and error). Hopefully this will save someone else the same headache.