Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2221
Views
10
Helpful
2
Replies

ISE group to router VRF?

Go to solution
brriapol
Cisco Employee
Cisco Employee

‎06-15-2020 10:31 AM

Is it possible for 2 users to access the same ISE portal, authenticate, get assigned to two different groups and be mapped to two separate router VRFs based on these group attributes?  Thank you,

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎06-15-2020 06:12 PM

ISE portal is defined with the Endpoint identity group, so the users authenticating via that portal become part of that group.

In my view, It is not possible with the same portal to assign users in 2 different groups.

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-15-2020 09:12 PM

This might be possible, but it depends on more detail about your flow and requirements.

What kind of portal authentication is it? Guest (Sponsored or Self-Registered) with internal users, Web Auth for external AD/LDAP user, etc?

 

With Sponsored Guests, you can create separate Guest Types and ISE auto-creates a User Identity Group for each of those Guest Types. Any Guest accounts created are associated with that Guest Type UIG and that can be used a Condition match in your AuthZ Policy.

All Self-Registered Guest accounts for a single Portal, however, can only be associated to a single Guest Type.

 

If you're using Web Auth with external AD/LDAP user accounts, you should be able to use group membership of those users as a matching condition in the AuthZ Policy.

 

For each of the above examples where you have different matching conditions, the AuthZ Profile could assign a dynamic VLAN that would be mapped to your VRF.

 

View solution in original post

2 Replies 2

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎06-15-2020 06:12 PM

ISE portal is defined with the Endpoint identity group, so the users authenticating via that portal become part of that group.

In my view, It is not possible with the same portal to assign users in 2 different groups.

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-15-2020 09:12 PM

This might be possible, but it depends on more detail about your flow and requirements.

What kind of portal authentication is it? Guest (Sponsored or Self-Registered) with internal users, Web Auth for external AD/LDAP user, etc?

 

With Sponsored Guests, you can create separate Guest Types and ISE auto-creates a User Identity Group for each of those Guest Types. Any Guest accounts created are associated with that Guest Type UIG and that can be used a Condition match in your AuthZ Policy.

All Self-Registered Guest accounts for a single Portal, however, can only be associated to a single Guest Type.

 

If you're using Web Auth with external AD/LDAP user accounts, you should be able to use group membership of those users as a matching condition in the AuthZ Policy.

 

For each of the above examples where you have different matching conditions, the AuthZ Profile could assign a dynamic VLAN that would be mapped to your VRF.

 

Customers Also Viewed These Support Documents