Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2025
Views
5
Helpful
2
Replies

ISE RADIUS: Is it possible to authenticate against one domain and authorize against another?

jedavis
Level 4
Level 4

‎03-03-2020 03:09 PM

I have a Windows forest with 4 domains.  I want to authenticate a user against DOMAIN-A and then check that same user for group membership in DOMAIN-B.  So authentication policy says

 

If Radius:User-Name CONTAINS DOMAIN-A use DOMAIN-A

and  authorization policy says

If DOMAIN-B:ExternalGroups EQUALS domain-b.company.com/blah/blah/blah

 

When I try this authentication succeeds but it looks like it searches DOMAIN-A for group membership.  Can I get it to search DOMAIN-B instead?

 

And what does "Queried PIP" mean?

 

24402User authentication against Active Directory succeeded - HOUPCS
22037Authentication Passed
24423ISE has not been able to confirm previous successful machine authentication
15036Evaluating Authorization Policy
15048Queried PIP - DOMAIN-B.ExternalGroups
24432Looking up user in Active Directory - DOMAIN-A
24355LDAP fetch succeeded - domain-a.company.com
24416User's Groups retrieval from Active Directory succeeded - DOMAIN-A
15048Queried PIP - DOMAIN-A.ExternalGroups
15048Queried PIP - DOMAIN-B.ExternalGroups (2 times)
15048Queried PIP - DOMAIN-C.ExternalGroups (2 times)
15048Queried PIP - DOMAIN-D.ExternalGroups
15048Queried PIP - DOMAIN-C.ExternalGroups
15048Queried PIP - DOMAIN-A.ExternalGroups (2 times)
15004Matched rule - Default
15016Selected Authorization Profile - DenyAccess
15039Rejected per authorization profile
11003Returned RADIUS Access-Reject

 

Thanks for any help you can provide.

-Jeff

0 Helpful
2 Replies 2

Colby LeMaire
VIP Alumni
VIP Alumni

‎03-03-2020 05:40 PM

I do not believe it is possible.  Each user account, whether in a domain or a local machine account, has its own unique Security Identifier (SID) and that is what AD is looking at.  Even with the same username, accounts in different domains will have different SID's.  ISE presents the username to you in the interface, but under the covers, it is using the SID.  Same goes for groups and group membership lookups.

PIP is Policy Information Point which in this case is AD.

Cristian Matei
VIP Alumni
VIP Alumni

‎03-04-2020 01:40 AM

Hi,

 

     This is not possible due to the inherent design of RADIUS, which performs both authentication and authorization in one process, these two steps are NOT independent. So if the user got authenticated by matching your ISE authentication rule which points to domain A, the user's attributes are picked from that domain, and all ISE authorization policies are matched against those attributes, you can't look elsewhere.

     What is exactly you're trying to achieve, by authenticating the user against domain A, and looking in domain B for the user in order to perform authorization? I'm sure we can find a solution, if you explain the reason and scope.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents