Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5832
Views
5
Helpful
17
Replies

ISE 1.1.1. and additional LDAP attribute retrieval

Karel Navratil
Level 1
Level 1

‎08-29-2012 03:54 PM - edited ‎03-10-2019 07:28 PM

Hello All,

I'm authenticating users against Active Directory and want to also check additionals attributes from LDAP. In ACS 5.3. it was possible to set this up via External Identity Sequence, but in ISE I don't see this possibility. I can set sequence only for authentication, but not for additional attribute retrieval.

When I set a condition in a policy that an LDAP attribute must match with some value, the attribute is not retrieved and autorization ends on default Deny Access.

Can anyone help me how this can be set on ISE?

Thanks!

Regards

Karel Navratil

Labels:
0 Helpful
17 Replies 17

Tarik Admani
VIP Alumni
VIP Alumni
In response to Brian Schultz

‎09-15-2012 07:07 PM

Brian,

I am sure karel configured an authorization condition for this attribute. However your method should work just fine can post a screenshot of your authorization policy and the report of the other attributes when the machines fails to match.

Thanks

0 Helpful

Brian Schultz
Level 4
Level 4
In response to Tarik Admani

‎09-20-2012 01:29 PM

Found the machine was misconfigured for user authentication instead of computer authentication.  It is working properly after changing the endpoint to the correct setting.

-Brian

0 Helpful

Karel Navratil
Level 1
Level 1
In response to Brian Schultz

‎09-16-2012 11:50 PM

Hi Brian,

my idea was to do EAP Chaining with AnyConnect + some other control for the users which one can access and which not. To ensure, that the computer is ours I have set up a rule with condition

"Network Access:EapChainingResult EQUALS User And Machine Both Succeeded" and do additional check for a user in our local LDAP (not AD) directory for internal attribute. If the attribute matches Employee, than the user is granted the access. Internal attribute is controller by our workflows.

Regarding the AD groups it should work in a similar way. On ACS I remember a problem, that the ACS was not able to retrieve group membership of some of our domains even if the trusts were okay. That's the reason why we switched to our internal LDAP.

However I found, that it doesn't work like expected. After applying the rule it works, but after cca 20 minutes the access is rejected and the attribute is not retrieved until the rule is deleted and again created / applied). I'm now trying to investigate why this happens.

Regards

Karel

0 Helpful
Customers Also Viewed These Support Documents