Solved: Re: ISE Authorization with multiple Identity Stores

hsangral · ‎03-24-2019

Hello,

After converting the ACS config to ISE i noticed that there are rules with conditions which check multiple Identity stores for authorization.

Like the attached screenshot, One condition checks the user in a AD group and the other Matches RSA.

Is something like this possible, Will these authorization rules check the user presence in both of the identity stores

hslai · ‎03-25-2019

The authorization policy rule should work. However, I would recommend to put the AD condition last so to avoid AD lookups, which usually contribute more latency, if the other conditions fail.

View solution in original post

Sathiyanarayanan Ravindran · ‎03-24-2019

Hi Hsangral,

You have created a Policy with AND condition hence the lookup is happening in both AD and RSA, If you want to make either or choice do OR conditioning.

You can play with the conditions based on your requirements.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

Sathiyanarayanan Ravindran · ‎03-24-2019

Hi Hsangral,

You have created a Policy with AND condition hence the lookup is happening in both AD and RSA, If you want to make either or choice do OR conditioning.

You can play with the conditions based on your requirements.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

hsangral · ‎03-24-2019

Thanks Ravindran,

I understand that an Or condition is possible but what I Actually wanted to know is if ISE would support multiple look ups in authorization policy? Like AD then RSA?

Aravind Ravichandran · ‎03-24-2019

You can do multiple lookup in authentication policy, if your ask is to login into the NAD with AD & then for enable mode it's RSA, you can achieve it with authentication policy.

create auth policy1 with tacacs service equals login and use the identity store as AD & another auth policy2 with tacacs service equals enable and use the identity store as RSA.

In this way you can achieve AD + RSA to validate login.

-Aravind

hsangral · ‎03-24-2019

My question still remains, Can a authorization policy have a condition to do multiple looks ups ??

Please refer to the screen shot, Will something like this work? I am asking because these are the policies I got after ACS conjfig conversion.

I understand that we can have multiple condition in auth policies like you said but my question is regarding authorization

bern81 · ‎03-25-2019

Hi,

As far as i know, you do sequnetial lookups in authentication policy not authorization policy.

In authorization policy you define that if this user if part of let's say AD group /employee then apply an authorization profile (Vlan, Dacl...), you could do many .

In authentication policy you can do sequential lookup (external identity group sequence).

Please rate if helpful

hslai · ‎03-25-2019

The authorization policy rule should work. However, I would recommend to put the AD condition last so to avoid AD lookups, which usually contribute more latency, if the other conditions fail.

hsangral · ‎03-25-2019

Thank you for the recommendation.

So the authorization condition would just check the presence of the user in the RSA and AD database and should work

hslai · ‎03-25-2019

Yes. This is a common use case.