Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
0
Helpful
1
Replies

ISE Authentication Compound Condition help

Go to solution
Stally1003
Level 1
Level 1

‎03-27-2019 08:25 PM

Hello,

 

I'm setting up ISE authentication policy for VPN users.

 

My plan was to match tunnel group -and-> user exists in Active Directory -then-> use RSA server for AAA.

 

I have written condition for tunnel group match but I'm confused or don't know literally on how to write condition for "user exists in Active Directory".

 

I have integrated my AD with ISE.

 

Please help me with this guys. Thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-28-2019 09:26 AM

In case ISE authenticates the user using its AD credentials, we may use this dictionary attribute  Network Access·AuthenticationIdentityStore and set it to EQUALS to the name of the AD join point.

Other possibilities are:

  • ciscoAD·IdentityAccessRestricted, false if the user not disabled in AD and the password not expired
  • Network Access·AD-User-DNS-Domain or Network Access·AD-User-Join-Point
  • check AD group membership; e.g. <AD-JoinPoint-Name>·ExternalGroups Equals myAD.com/Users/Domain Users
  • check AD user attributes; e.g. <AD-JoinPoint-Name>.<nameOfAttribute>

For the last two, we need to pick the groups and attributes in the AD join point, before they are available as drop-down selections in the right-hand-side of the attribute-value pair.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-28-2019 09:26 AM

In case ISE authenticates the user using its AD credentials, we may use this dictionary attribute  Network Access·AuthenticationIdentityStore and set it to EQUALS to the name of the AD join point.

Other possibilities are:

  • ciscoAD·IdentityAccessRestricted, false if the user not disabled in AD and the password not expired
  • Network Access·AD-User-DNS-Domain or Network Access·AD-User-Join-Point
  • check AD group membership; e.g. <AD-JoinPoint-Name>·ExternalGroups Equals myAD.com/Users/Domain Users
  • check AD user attributes; e.g. <AD-JoinPoint-Name>.<nameOfAttribute>

For the last two, we need to pick the groups and attributes in the AD join point, before they are available as drop-down selections in the right-hand-side of the attribute-value pair.

0 Helpful
Customers Also Viewed These Support Documents