Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1966
Views
0
Helpful
1
Replies

ISE local identity store, local groups

jedavis
Level 4
Level 4

‎02-16-2016 11:37 AM - edited ‎03-10-2019 11:29 PM

I have a half dozen user names that I have entered into the ISE internal identity store.  I have also created a user identity group "DeviceAdmins" that contains these half dozen names.  Now what I would like to do is to create an authentication rule that checks the radius supplied user name to see if it is contained within the DeviceAdmins group and if so then use the internal identity store.

This seems like it should be simple but I don't know how to create the policy to bump the user name up against the contents of the identity group.  The closest that I have gotten is to create an authentication compound condition that checks 

Radius:User-name equals userA or

Radius:user-name equals userB or (etc...)

Then use this condition in the policy statement and if it matches use the internal identity store.  But this ignores the user identity group entirely.  Is there any way to do this?

Labels:
0 Helpful
1 Reply 1

jj27
Spotlight
Spotlight

‎02-17-2016 07:23 PM

Your authentication policy should check against "Internal Users", then your Authorization policy should check User Identity Group "DeviceAdmins" with no RADIUS check and it should work.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents