Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
553
Views
1
Helpful
2
Replies

ISE : How to differentiate between AD Users AD and proxy radius users

Go to solution
Ditter
Level 4
Level 4

‎05-17-2023 03:32 AM

Hi to all,

i am looking of a way to differentiate between two kind of dot1x users:

1. Users that have to go through AD which is correctly configured as identity source in ISE and this rule is the only active rule in policy sets

and 

2. Users that go through proxy radius which also work correctly when this rule is the only active in policy sets 

But when i activate both rules, the proxy radius based users fail to authenticate when the AD rule is configured firstly and the same is true when the proxy radius rule is configured firstly then the AD users fail.

The problem as i see it is because the condition in the Policy sets is the same that is : Normalised Radius Flow Type EQUALS wired802_1x.

Any ideas how could i differentiate between these two flows (AD flow and Proxy radius flow)?

Thanks,

Ditter

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-17-2023 03:27 PM

This sounds similar to the Eduroam use case example found here:

https://community.cisco.com/t5/security-knowledge-base/configuring-eduroam-on-cisco-identity-services-engine-ise/ta-p/3655672

You would need the username presented to ISE to differentiate between users in your realm (authenticated by your AD) versus users in another realm (proxied). Your Policy Set matching conditions would be based on those attributes.

View solution in original post

2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-17-2023 03:27 PM

This sounds similar to the Eduroam use case example found here:

https://community.cisco.com/t5/security-knowledge-base/configuring-eduroam-on-cisco-identity-services-engine-ise/ta-p/3655672

You would need the username presented to ISE to differentiate between users in your realm (authenticated by your AD) versus users in another realm (proxied). Your Policy Set matching conditions would be based on those attributes.

Go to solution
Ditter
Level 4
Level 4
In response to Greg Gibbs

‎05-19-2023 01:24 AM

Thanks for the document. I added an AND statement in the two conditions to differentiate between users , something like the following: 

Normalised Radius Flow TYpe AND Radius User-Name contains (or NOT contains) the realm i want in order to send some users to proxy radius and some others in the Active Directory.

It seems that it is working in a way.

Ditter

0 Helpful
Customers Also Viewed These Support Documents