cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
334
Views
1
Helpful
2
Replies

ISE : How to differentiate between AD Users AD and proxy radius users

Ditter
Participant
Participant

Hi to all,

i am looking of a way to differentiate between two kind of dot1x users:

1. Users that have to go through AD which is correctly configured as identity source in ISE and this rule is the only active rule in policy sets

and 

2. Users that go through proxy radius which also work correctly when this rule is the only active in policy sets 

But when i activate both rules, the proxy radius based users fail to authenticate when the AD rule is configured firstly and the same is true when the proxy radius rule is configured firstly then the AD users fail.

The problem as i see it is because the condition in the Policy sets is the same that is : Normalised Radius Flow Type EQUALS wired802_1x.

Any ideas how could i differentiate between these two flows (AD flow and Proxy radius flow)?

Thanks,

Ditter

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

This sounds similar to the Eduroam use case example found here:

https://community.cisco.com/t5/security-knowledge-base/configuring-eduroam-on-cisco-identity-services-engine-ise/ta-p/3655672

You would need the username presented to ISE to differentiate between users in your realm (authenticated by your AD) versus users in another realm (proxied). Your Policy Set matching conditions would be based on those attributes.

View solution in original post

2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

This sounds similar to the Eduroam use case example found here:

https://community.cisco.com/t5/security-knowledge-base/configuring-eduroam-on-cisco-identity-services-engine-ise/ta-p/3655672

You would need the username presented to ISE to differentiate between users in your realm (authenticated by your AD) versus users in another realm (proxied). Your Policy Set matching conditions would be based on those attributes.

Thanks for the document. I added an AND statement in the two conditions to differentiate between users , something like the following: 

Normalised Radius Flow TYpe AND Radius User-Name contains (or NOT contains) the realm i want in order to send some users to proxy radius and some others in the Active Directory.

It seems that it is working in a way.

Ditter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: