cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

214
Views
0
Helpful
1
Replies
Highlighted
Beginner

ISE - RADIUS AUTHENTICATION - Match on AD Group Membership to base Identity Source

Is it possible to match upon initial Authentication against an AD Group to then have a different Identity Source used?

 

Generally I'm only aware of it being possible to match against an AD Group AFTER a User has authenticated via an Authorization Policy. Use Case is for VPN users, and the client wants to slowly role out changing authentication sources (AD to MFA). I've gotten the standard method I'm aware of working, which is via matching on a different Group-Policy and/or Tunnel-Group from the ASA, but they were looking for an easier method to deploy to end users.

 

If they can't get it to work this way, then I'll just work on modifying the AnyConnect Profile to point to the new FQDN URL and call it good, but I wanted to ask this space if they had ever tried matching against AD Group during initial Authentication Queries.

 

I'm thinking not, the more I think of it, as the endpoint/user hasn't been sent to the Identity Source which would then pull/provide those details.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: ISE - RADIUS AUTHENTICATION - Match on AD Group Membership to base Identity Source

Hi

You can't use ad group in the authentication rule, only on authorization.
You need to differentiate using other attributes like you said.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

1 REPLY 1
Highlighted
VIP Advisor

Re: ISE - RADIUS AUTHENTICATION - Match on AD Group Membership to base Identity Source

Hi

You can't use ad group in the authentication rule, only on authorization.
You need to differentiate using other attributes like you said.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post