ISE - Querying two external sources one after the other

Sven Hruza · ‎03-19-2025

Hello,
is it possible to use two external identity sources one after the other?
We do TACACS and RADIUS for admin access to network and security devices.

In a first authentication step I need to ask AD because there is a MFA system connected to.
But in a second step I should get the groups/roles from another LDAP system.
In the third step in the authorization we use the LDAP groups to grant the right permission and profile.

I know the identity source sequence, but this looks like to be used only till the first source was successful used.
Every other source in the order will be skipped.

Thank you for a hint!

Arne Bier · ‎03-19-2025

You can use one Identity Source for Authentication (in your case, AD) and when that has passed, you proceed to Authorization.

In the ISE Authorization Policy Rules, assuming your ISE is bound to the LDAP directories that know of the Identity that passed Authentication, then you can refer to LDAP Groups and Attributes that you have added in the LDAP Identity Source config, in your Authorization Rules. ISE will then bind to those directories and query them for the Identity in question to see if there are matches on attributes/OU etc.
e.g from my lab

Sven Hruza · ‎03-20-2025

Hello Arne, and thank you for the reply!
I tried to configure that on my test system with v3.3p4. But it was not successful.
For testing I added the internal user database in the authentication policy.
In the authorization policy I added a condition for the device type AND the LDAP group, I get back from LDAP if I use it for authentication.

I can configure it, but I'm not allowed to save it.

If I delete the LDAP part of the condition, it can be saved.

Arne Bier · ‎03-20-2025

Hi

Getting LDAP to work in ISE is always a bit tricky. But it does work. Your Authorization Rule looks different to mine. Perhaps you have not locked onto the LDAP.

Here is my lab setup - I am binding to a Windows Server (using LDAP)

Finally, the Groups tab. I didn't type this into ISE. I clicked on Add, then "Select Groups from Directory" and then uses "*" as search and clicked 'Retrieve Groups'. If your LDAP binding is working, then you will see all the Groups listed. Select the ones you want and click OK. Then click Save on final page.

My Authorization Policy

Here is the end of the Live Logs 802.1X EAP-PEAP Authentication Details "Steps" to show how ISE goes to LDAP to fetch Groups. Authentication was EAP-PEAP (MSCHAPv2)

I have to admit that when my Authorization Rule was checking for Group "Domain User", ISE rejected - but with "Domain Admin" it worked - when I browsed the user "abier" in ISE's LDAP browser (browse "Attributes"), I could see "memberOf" only containing Domain Admin. My point about "LDAP is tricky" ... perhaps something is not right in how I am telling ISE in the LDAP setup WHERE to look for Groups. Maybe the Groups are searched and mapped incorrectly in my case.

Sven Hruza · ‎03-21-2025

Thanks for that description of your config. Yes, you are right, this LDAP syntax is always strange for me...
We did some more testing today, and found a solution, I think.
We configured it again from the beginning and now the roles can be used as expected.

In our case we have two different external sources:
1. Active Directory (AD) for the authentication
2. Another independend LDAP system with all our needed roles/groups

AD is now configured for the authentication policy. This works as expected without any issues.
In the authorization policy we use the LDAP system configured externalGroup as condition.

I'm a little bit positive surprised that it works like that, and that ISE communicates directly with the external source which is configured in the authorization policy.