cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
671
Views
0
Helpful
1
Replies

ISE Authentication Compound Condition help

Stally1003
Level 1
Level 1

Hello,

 

I'm setting up ISE authentication policy for VPN users.

 

My plan was to match tunnel group -and-> user exists in Active Directory -then-> use RSA server for AAA.

 

I have written condition for tunnel group match but I'm confused or don't know literally on how to write condition for "user exists in Active Directory".

 

I have integrated my AD with ISE.

 

Please help me with this guys. Thanks in advance.

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

In case ISE authenticates the user using its AD credentials, we may use this dictionary attribute  Network Access·AuthenticationIdentityStore and set it to EQUALS to the name of the AD join point.

Other possibilities are:

  • ciscoAD·IdentityAccessRestricted, false if the user not disabled in AD and the password not expired
  • Network Access·AD-User-DNS-Domain or Network Access·AD-User-Join-Point
  • check AD group membership; e.g. <AD-JoinPoint-Name>·ExternalGroups Equals myAD.com/Users/Domain Users
  • check AD user attributes; e.g. <AD-JoinPoint-Name>.<nameOfAttribute>

For the last two, we need to pick the groups and attributes in the AD join point, before they are available as drop-down selections in the right-hand-side of the attribute-value pair.

View solution in original post

1 Reply 1

hslai
Cisco Employee
Cisco Employee

In case ISE authenticates the user using its AD credentials, we may use this dictionary attribute  Network Access·AuthenticationIdentityStore and set it to EQUALS to the name of the AD join point.

Other possibilities are:

  • ciscoAD·IdentityAccessRestricted, false if the user not disabled in AD and the password not expired
  • Network Access·AD-User-DNS-Domain or Network Access·AD-User-Join-Point
  • check AD group membership; e.g. <AD-JoinPoint-Name>·ExternalGroups Equals myAD.com/Users/Domain Users
  • check AD user attributes; e.g. <AD-JoinPoint-Name>.<nameOfAttribute>

For the last two, we need to pick the groups and attributes in the AD join point, before they are available as drop-down selections in the right-hand-side of the attribute-value pair.