Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4896
Views
20
Helpful
6
Replies

ISE device authentication local and AD in one policy

Go to solution
wkamil123
Level 1
Level 1

‎05-13-2020 04:38 AM

Hello,

I have a little issue to configure policy to TACACS+ device authentication to authorize users from local and AD users on one policy.

In first policy when the user is not found in local store then the second option is not taken - AD Domain.

If user is not found in local policy then is found in domain store but do not place in proper authorization policy.

Is there any option to combine local and AD store in one policy?

 

 

Labels:
Preview file
70 KB
Preview file
46 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to wkamil123

‎05-14-2020 03:50 PM

Something I want to clarify about your Authentication Policy. The option for 'If user not found = CONTINUE' means that the session will continue to the Authorization Policy. It does not mean that the session will continue to the next Authentication Policy rule, so your second AuthC rule for 'AD' will never be hit.

As @paul mentioned earlier, you need to use an Identity Source Sequence in your AuthC policy to achieve what you are trying to do and ensure the option for 'Treat as if the user was not found and proceed to the next store in the sequence' is ticked.

Example:

Screen Shot 2020-05-15 at 8.42.28 am.png

 

Secondly, I would suggest the following for the issue where the session is not hitting your AuthZ Policy Rule for the AD Group match.

  1. Use the Test User lookup tool in ISE (In the AD config section) and confirm that ISE sees the correct group membership for the AD user account.
  2. Ensure the user account used to join the domain as well as the machine account have the correct permissions as per the Active Directory Integration with Cisco ISE 2.x  guide (especially the read tokenGroups permission)

If all else fails, you may need to open a TAC case to gather debugs and investigate further.

View solution in original post

6 Replies 6

Go to solution
paul
Level 10
Level 10

‎05-13-2020 06:50 AM

You authentication policy is wrong.  You almost never want to setup User Not found to Continue when you are using credential based authentication. You should be using a sequence which is the proper way to do this.

 

Setup an identity source sequence called AD_Local.  Put AD first in the list then Internal Users.  Just use the default authentication rule and tie it to the AD_Local sequence.

Go to solution
wkamil123
Level 1
Level 1
In response to paul

‎05-13-2020 12:14 PM

Thanks for your replay.

The Internal user can login successful but the AD user is not. The AD user stay in authentication policy even if authentication passed.

Can you clarify me about attributes in line below 24100.

The AD user can log in when the policy is without internal store rule.

I have tested with group fetched from AD but the result is the same.

 

24420 User's Attributes retrieval from Active Directory succeeded
24100 Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes
15048 Queried PIP - Poznan.zvni.com.ExternalGroups
13015 Returned TACACS+ Authentication Reply

Preview file
135 KB
Preview file
28 KB
0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to wkamil123

‎05-13-2020 08:58 PM

Kindly refer below community link:

https://community.cisco.com/t5/network-access-control/ise-not-pulling-all-identity-attributes-from-ad/td-p/3607287

 

Also make sure that the AD user is a member of Netops identity group on AD as per the configured authorization rule.

 

Go to solution
wkamil123
Level 1
Level 1
In response to poongarg

‎05-14-2020 05:21 AM

@poongargthanks for reply and attributes explanation.

 

I don't know what I'm going wrong but the tested user is a member of Netops group in AD but it cannot be authorized properly.

I was created simply rule but it's not work properly.

Preview file
32 KB
Preview file
129 KB
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to wkamil123

‎05-14-2020 03:50 PM

Something I want to clarify about your Authentication Policy. The option for 'If user not found = CONTINUE' means that the session will continue to the Authorization Policy. It does not mean that the session will continue to the next Authentication Policy rule, so your second AuthC rule for 'AD' will never be hit.

As @paul mentioned earlier, you need to use an Identity Source Sequence in your AuthC policy to achieve what you are trying to do and ensure the option for 'Treat as if the user was not found and proceed to the next store in the sequence' is ticked.

Example:

Screen Shot 2020-05-15 at 8.42.28 am.png

 

Secondly, I would suggest the following for the issue where the session is not hitting your AuthZ Policy Rule for the AD Group match.

  1. Use the Test User lookup tool in ISE (In the AD config section) and confirm that ISE sees the correct group membership for the AD user account.
  2. Ensure the user account used to join the domain as well as the machine account have the correct permissions as per the Active Directory Integration with Cisco ISE 2.x  guide (especially the read tokenGroups permission)

If all else fails, you may need to open a TAC case to gather debugs and investigate further.

Go to solution
wkamil123
Level 1
Level 1
In response to Greg Gibbs

‎05-18-2020 11:49 AM

Thanks guys, all suggestions were helpful.

The issue resolved by rejoin to AD domain.

 

0 Helpful
Customers Also Viewed These Support Documents