Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1097
Views
0
Helpful
4
Replies

ISE as authorization server, but Identity source is AD

Go to solution
yongwli
Cisco Employee
Cisco Employee

‎12-11-2018 05:31 AM

Hi Experts,

 

Customer has a requirement, can we do it with ISE?

 

User A is one of AD user, User A connect Anyconnect VPN and authenticated by ISE with AD identity source. After authentication, ISE assign VPN group policy to ASA. Custome would ISE have a user list, only user in the list can have higher VPN network privilege because the AD dont have any attribute for reference.

 

I know ISE could define condition with user=A or user=B or user=C, but is there any better way to do it?

 

Thanks

DL

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to yongwli

‎12-11-2018 06:31 AM

Use shadow users.

Configure a user identity group on the ISE.
Configure the users which are highly privileged on the ISE and while configuring them, choose the password store as Active Directory instead of configuring the passwords locally on the ISE for those users.
Configure an authorization policy with the ISE internal user group condition to assign the required group policy.
In the authentication policy, make sure that internal identity store is looked at first and then the AD join points (create a new identity source sequence if required).

I haven’t personally tried this but logically speaking, this should work.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-11-2018 05:54 AM

Why not add those users to a custom group on the AD and use that AD group in the authorization policy?
0 Helpful

Go to solution
yongwli
Cisco Employee
Cisco Employee
In response to Surendra

‎12-11-2018 06:10 AM

Customer is network administration team, they cannot get AD team support to do it. So ask us this question, it's presale question.

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to yongwli

‎12-11-2018 06:31 AM

Use shadow users.

Configure a user identity group on the ISE.
Configure the users which are highly privileged on the ISE and while configuring them, choose the password store as Active Directory instead of configuring the passwords locally on the ISE for those users.
Configure an authorization policy with the ISE internal user group condition to assign the required group policy.
In the authentication policy, make sure that internal identity store is looked at first and then the AD join points (create a new identity source sequence if required).

I haven’t personally tried this but logically speaking, this should work.
0 Helpful

Go to solution
yongwli
Cisco Employee
Cisco Employee
In response to Surendra

‎12-11-2018 09:45 PM

thank you, let me have a try.

0 Helpful
Customers Also Viewed These Support Documents