Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
538
Views
0
Helpful
2
Replies

ISE Authorization

Mostafa.Ragab
Level 1
Level 1

‎12-26-2017 01:46 AM - edited ‎02-21-2020 10:42 AM

Dears,

 

       I have ISE server and I am using dot1x to authorize users based on LDAP group. I want to make a double layer of authorization. When the user plug the network cable to the PC the PC should be authenticated and authorized as a domain machine (Using Domain machines LDAP group) then when the user log in the PC using his domain username he should be authenticated and authorized using his domain name.

 

My question here, How can I force the switch to make a COA to the PC whin the user log in with his domain username and password? and what is the order of authorization rules?

 

Thanks in advance :)

Labels:
0 Helpful
2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni

‎12-26-2017 08:41 AM

Hi,

CoA should be enabled globally. As soon as you log-in with username, CoA will be initiated. The order should be rules for username and after rule for machine.
To achieve that, you can use EAP-Chaining with Anyconnect or MAR (caching nethod agentless).

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎12-26-2017 09:14 AM

With windows builtin supplicant I have seen coa not being sent many times.
Best option is to use anyconnect nam
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents