08-29-2012 03:54 PM - edited 03-10-2019 07:28 PM
Hello All,
I'm authenticating users against Active Directory and want to also check additionals attributes from LDAP. In ACS 5.3. it was possible to set this up via External Identity Sequence, but in ISE I don't see this possibility. I can set sequence only for authentication, but not for additional attribute retrieval.
When I set a condition in a policy that an LDAP attribute must match with some value, the attribute is not retrieved and autorization ends on default Deny Access.
Can anyone help me how this can be set on ISE?
Thanks!
Regards
Karel Navratil
09-15-2012 07:07 PM
Brian,
I am sure karel configured an authorization condition for this attribute. However your method should work just fine can post a screenshot of your authorization policy and the report of the other attributes when the machines fails to match.
Thanks
09-20-2012 01:29 PM
Found the machine was misconfigured for user authentication instead of computer authentication. It is working properly after changing the endpoint to the correct setting.
-Brian
09-16-2012 11:50 PM
Hi Brian,
my idea was to do EAP Chaining with AnyConnect + some other control for the users which one can access and which not. To ensure, that the computer is ours I have set up a rule with condition
"Network Access:EapChainingResult EQUALS User And Machine Both Succeeded" and do additional check for a user in our local LDAP (not AD) directory for internal attribute. If the attribute matches Employee, than the user is granted the access. Internal attribute is controller by our workflows.
Regarding the AD groups it should work in a similar way. On ACS I remember a problem, that the ACS was not able to retrieve group membership of some of our domains even if the trusts were okay. That's the reason why we switched to our internal LDAP.
However I found, that it doesn't work like expected. After applying the rule it works, but after cca 20 minutes the access is rejected and the attribute is not retrieved until the rule is deleted and again created / applied). I'm now trying to investigate why this happens.
Regards
Karel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide