02-02-2020 04:16 PM
Hi, I'm working on a project to cutover our existing ACS to ISE. I'm new to ISE and looking through an eval version of the application. I'm looking for a way to authenticate users to different external identity sources.
ISE access requirements:
- External company needs super user access for support, authenticated via an LDAP external identity source
- Internal users need Read-Only access, authenticated via an AD external identity source
- Internal database will have a single super-admin user account if external identity store connectivity is down.
From looking at the gui page Administration > Admin Access > Authentication > Authentication Method - I can pick either the AD or LDAP which appear as a drop down on the login screen but I don't have an option for both.
Outcome:
I want to be able to have multiple external identity stores as well as internal store for users to choose where they need to be authenticated. Is this possible?
**Note - on my eval I have created dummy AD and LDAP External Identity Stores so the joins have not been established, just in case this causes an issue.
Solved! Go to Solution.
02-02-2020 06:40 PM
Current versions of ISE can only leverage a single external Identity Source (AD, LDAP, RADIUS Token, etc) for authentication of Admin Access (GUI, External RESTful Service).
ISE will always permit an Internal user to login via the dropdown. There is no way to restrict allowing login by an internal user only in the case that the external ID store is unavailable.
Some options that customers have used to work around this include:
Cheers,
Greg
02-02-2020 06:40 PM
Current versions of ISE can only leverage a single external Identity Source (AD, LDAP, RADIUS Token, etc) for authentication of Admin Access (GUI, External RESTful Service).
ISE will always permit an Internal user to login via the dropdown. There is no way to restrict allowing login by an internal user only in the case that the external ID store is unavailable.
Some options that customers have used to work around this include:
Cheers,
Greg
02-02-2020 06:46 PM
Thanks Greg..
I figured as much following some further testing on "admin groups" when I select external check box it pre-fills the external identity source selected under Authentication-type.
02-02-2020 08:55 PM
02-02-2020 09:17 PM
Hi Mohammed,
That could be a great work around.
Thanks for calling out the option.
Andrew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide