- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2019 08:25 PM
Hello,
I'm setting up ISE authentication policy for VPN users.
My plan was to match tunnel group -and-> user exists in Active Directory -then-> use RSA server for AAA.
I have written condition for tunnel group match but I'm confused or don't know literally on how to write condition for "user exists in Active Directory".
I have integrated my AD with ISE.
Please help me with this guys. Thanks in advance.
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2019 09:26 AM
In case ISE authenticates the user using its AD credentials, we may use this dictionary attribute Network Access·AuthenticationIdentityStore and set it to EQUALS to the name of the AD join point.
Other possibilities are:
- ciscoAD·IdentityAccessRestricted, false if the user not disabled in AD and the password not expired
- Network Access·AD-User-DNS-Domain or Network Access·AD-User-Join-Point
- check AD group membership; e.g. <AD-JoinPoint-Name>·ExternalGroups Equals myAD.com/Users/Domain Users
- check AD user attributes; e.g. <AD-JoinPoint-Name>.<nameOfAttribute>
For the last two, we need to pick the groups and attributes in the AD join point, before they are available as drop-down selections in the right-hand-side of the attribute-value pair.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2019 09:26 AM
In case ISE authenticates the user using its AD credentials, we may use this dictionary attribute Network Access·AuthenticationIdentityStore and set it to EQUALS to the name of the AD join point.
Other possibilities are:
- ciscoAD·IdentityAccessRestricted, false if the user not disabled in AD and the password not expired
- Network Access·AD-User-DNS-Domain or Network Access·AD-User-Join-Point
- check AD group membership; e.g. <AD-JoinPoint-Name>·ExternalGroups Equals myAD.com/Users/Domain Users
- check AD user attributes; e.g. <AD-JoinPoint-Name>.<nameOfAttribute>
For the last two, we need to pick the groups and attributes in the AD join point, before they are available as drop-down selections in the right-hand-side of the attribute-value pair.
