Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
0
Helpful
3
Replies

ISE-Admin access: Extra condition with external Username "contains/starts" with "x" ?

Go to solution
mvassigh
Cisco Employee
Cisco Employee

‎02-26-2018 09:18 AM

Dear experts,

while migrating some ACS solution,  our partner is challenged with an option, that exists in ACS 5.x, but seems to be hard to build in ISE.

The goal is to trigger and authorize with an  "external AD membership", which is fine, but then also "Require the Username" to fulfill an extra condition = (example)  "Begins with A".

So any ISE-Admin, who could authenticate and achieve a "Super-Power-Role", not only is member of a specific AD-Group, but also has been assigned a "Username = Starts with A". Only if both match, he would achieve the "Super-Power-Role".

Reason beeing, that structured User-Naming was enforced with this condition, whereas membership for other users in the same AD group could not be prevented.

We had a look at various UI elements, but did not achieve to find a way to squeeze this "Condition check" into the Authorization rules.

All we are offered is "External Group, whereas ACS has this setting as shown below.

2018-02-26_ACS-Settings.png

Kind regards

/michael

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gbekmezi-DD
Level 5
Level 5
In response to mvassigh

‎02-26-2018 11:45 AM

Sorry Michael, I misinterpreted your question! I think the only way to accomplish what you want to do with ISE is to have those users with the “A” accounts be a member of a user group in the directory….so they could be a member of the “A” group to gain access to ISE administration. I was reading your request as device administration for some reason.

George

View solution in original post

0 Helpful
3 Replies 3

Go to solution
gbekmezi-DD
Level 5
Level 5

‎02-26-2018 10:15 AM

Would this work for you?

I just tested with Network Access:UserName STARTS_WITH as well as TACACS:User STARTS_WITH and they both work.

George

Preview file
30 KB
0 Helpful

Go to solution
mvassigh
Cisco Employee
Cisco Employee
In response to gbekmezi-DD

‎02-26-2018 11:21 AM

Dear George,

thanks for highlighting the option, but would this apply for ISE-UI login process as well ?

I thought Network-Access is for "Pass-Through" not "Pass-To" Authentications, meaning that "some device" is asking for Authentication-Services, versus ISE-UI itself is asking for that.

Does that make sense ?

regards

/michael

0 Helpful

Go to solution
gbekmezi-DD
Level 5
Level 5
In response to mvassigh

‎02-26-2018 11:45 AM

Sorry Michael, I misinterpreted your question! I think the only way to accomplish what you want to do with ISE is to have those users with the “A” accounts be a member of a user group in the directory….so they could be a member of the “A” group to gain access to ISE administration. I was reading your request as device administration for some reason.

George

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents