cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
701
Views
2
Helpful
1
Replies

ISE condition based on passive-id lookup failure ?

mulatif
Cisco Employee
Cisco Employee

Hi,

Is it possible to have the below flow ?

1. Authz profile with passive-id tracking (ACL-A applied)

2. Passive-ID success (CoA and now apply ACL-B)

OR

3. Passive-ID look-up failure i.e. User not found (CoA and now apply ACL-C)

I am struggling to find on how to detect "passive-id --> User not found"  condition ?

The desired use-case\flow

1. Endpoint connected and limited ACL applied as needed for AD-Login (Passive-ID tracking enabled)

2. If Passive-ID is a success then Employee-ACL applied.

3. If Passive-ID look-up doesn't find the User then Guest-ACL applied.

I understand that we can probably add-on Guest Access to the "limited ACL" (In the Passive-ID tracking Authz rule) , if the above is not possible.

Thanks,

Naman

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

The Passive ID tracking option essentially states "for any user authorized with this policy, watch for any merged entries and issue CoA".  By merged entry, I am referring to case where a RADIUS session is correlated wit a Passive ID session based on matching IP address.

If there is no tracking enabled or if there is tracking but no merger of entries, then there will be no lookup based on Passive Identity.  In other words, if Passive ID lookup fails, then there is no merged entry to start with.  A tracked entry that is merged will trigger a CoA.  On reauth there will be option to match on Passive ID attributes.  Along with original authorization or post-merge authorization, you can choose to assign ACL, VLAN, SGT, etc.

Likely what you want is to combine limited access ACL (AD-Login) with Guest ACL or a CWA authorization to redirect web to a guest portal.  If AD user logs in, then they will match Employee Policy.  If not, then they will get redirected to guest portal.

Craig

View solution in original post

1 Reply 1

Craig Hyps
Level 10
Level 10

The Passive ID tracking option essentially states "for any user authorized with this policy, watch for any merged entries and issue CoA".  By merged entry, I am referring to case where a RADIUS session is correlated wit a Passive ID session based on matching IP address.

If there is no tracking enabled or if there is tracking but no merger of entries, then there will be no lookup based on Passive Identity.  In other words, if Passive ID lookup fails, then there is no merged entry to start with.  A tracked entry that is merged will trigger a CoA.  On reauth there will be option to match on Passive ID attributes.  Along with original authorization or post-merge authorization, you can choose to assign ACL, VLAN, SGT, etc.

Likely what you want is to combine limited access ACL (AD-Login) with Guest ACL or a CWA authorization to redirect web to a guest portal.  If AD user logs in, then they will match Employee Policy.  If not, then they will get redirected to guest portal.

Craig