Solved: Re: ISE - RADIUS AUTHENTICATION - Match on AD Group Membership to base Identity Source

jason.erbe · ‎01-21-2020

Is it possible to match upon initial Authentication against an AD Group to then have a different Identity Source used?

Generally I'm only aware of it being possible to match against an AD Group AFTER a User has authenticated via an Authorization Policy. Use Case is for VPN users, and the client wants to slowly role out changing authentication sources (AD to MFA). I've gotten the standard method I'm aware of working, which is via matching on a different Group-Policy and/or Tunnel-Group from the ASA, but they were looking for an easier method to deploy to end users.

If they can't get it to work this way, then I'll just work on modifying the AnyConnect Profile to point to the new FQDN URL and call it good, but I wanted to ask this space if they had ever tried matching against AD Group during initial Authentication Queries.

I'm thinking not, the more I think of it, as the endpoint/user hasn't been sent to the Identity Source which would then pull/provide those details.

Francesco Molino · ‎01-21-2020

Hi

You can't use ad group in the authentication rule, only on authorization.
You need to differentiate using other attributes like you said.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎01-21-2020

Hi

You can't use ad group in the authentication rule, only on authorization.
You need to differentiate using other attributes like you said.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question