Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
998
Views
0
Helpful
5
Replies

New_to_ISE: How to Configure the policy set to hit only by the username.

Chaitanya lohith
Level 1
Level 1

‎09-23-2018 11:51 PM - edited ‎09-23-2018 11:56 PM

Hi All,

 

I have 10 users and 10 profiles configured. Now i wanted map profile 1 to user 1. i.e. when a user 1 is authenticated ISE has to send the authorization profile1 in access-accept. like that for all 10 users. 10 policy sets.

 

i tried with Radius-username in "string" and Identity Name in "string" but no luck. Can you please provide me the correct condition i need to use for above scenario?

 

I am Actually from FreeRadius user and migrating to ISE. In Freeradius, the contents of Access_accept lie under the username, there i am looking for how to do same in ISE?

 

Example freeradius Profile:

 

User Auth-Type := eap, Cleartext-Password:= "password"
Reply-Message = "Hello, %u",
Filter-Id = "test.in",
Tunnel-type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 12,
Cisco-AVPair += "ip:inacl#1=permit ip any 1.1.1.2 0.0.0.0",

 

User2 Auth-Type := eap, Cleartext-Password:= "password"
Reply-Message = "Hello, %u",
Filter-Id = "test2.in",
Tunnel-type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 12,
Cisco-AVPair += "ip:inacl#1=permit ip any 1.1.1.1 0.0.0.0",

0 Helpful
5 Replies 5

paul
Level 10
Level 10

‎09-24-2018 04:56 AM

The RADIUS username or Network Access:Username attribute work.  I use them all the time.  Either you are failing in the authentication phase or your authorization rule is not quite right.  Click on the details in the live log to see where things are failing.

0 Helpful

Chaitanya lohith
Level 1
Level 1
In response to paul

‎09-24-2018 05:25 AM

Thanks for suggesting the solution. Can you please provide me the sample config?

0 Helpful

paul
Level 10
Level 10
In response to Chaitanya lohith

‎09-24-2018 05:31 AM

Use the attributes I said. RADIUS:Username or Network Access:Username to specify the username you are looking for. Use the contains, matches, equals, etc. based on how you want to match it.


0 Helpful

Chaitanya lohith
Level 1
Level 1
In response to paul

‎09-24-2018 10:54 PM

Hi 

 

I have tried what you said but no luck. Any correction in  the attached policy condition?

Preview file
20 KB
0 Helpful

paul
Level 10
Level 10
In response to Chaitanya lohith

‎09-25-2018 02:13 AM

That looks right.  Paste in your authorization rule and the details of the authentication.  The details should tell you what is going on.

0 Helpful
Customers Also Viewed These Support Documents