cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
487
Views
3
Helpful
3
Replies

"Network Access.AuthenticationIdentityStore" condition

Hi all;

Based on CiscoLive 2020, session "Walking on solid ISE", as you can see below, using the "Network Access·AuthenticationIdentityStore" condition can reduce external ID store lookups. Right?

rezaalikhani_0-1718284125524.png

I want to know that, how this condition can reduce the External ID store lookup?

Thanks

1 Accepted Solution

Accepted Solutions

Regarding "Network Access·AuthenticationIdentityStore", that would be an additional optimisation for ISE, since this is an internal flag set by ISE to inform us how the Authentication was done. If during AuthZ you know whether Internal Users were used or External Lookups, you might be able to optimise your AuthZ conditions - e.g. if your AuthZ Rules are a mix and match of different things, where some apply to AD AuthN and some apply to Internal User AuthN, then you could make Network Access·AuthenticationIdentityStore part of the Condition. If you didn't do this, then ISE would have to brute force execute all the AuthZ Rules until it finds a match, checking things that make no logical sense, based on the AuthN that happened previously.

Honestly, I have never used this and perhaps I should, but I think it would be helpful in very busy ISE nodes, and one might also just think about re-factoring the Policy Sets to ensure they are organised to prevent this from happening in the first place. My top tip is to think of Policy Sets as a binary tree - try splitting the tree into logical branches as soon as possible, and avoid re-testing things you already tested before (e.g. only check the SSID once and then branch off, and use that as a context for further processing).

People who make one long Policy Set and then test for all possible conditions can learn a thing or two from computer scientists/programmers way of thinking. 

View solution in original post

3 Replies 3

@rezaalikhani

In the first rule ISE is going to do an external lookup to AD first, which is time consuming. If it matches the AD group it will then check to see the WLAN ID. ISE already knows what the WLAN ID as it was sent in the RADIUS packet, so no external lookup and is therefore less time consuming.

In the second rule, ISE already knows the WLAN ID so no external lookup performed, if it matches, only then it will perform an external lookup to AD. If the WLAN ID does not match, the rule is skipped and it would not perform an external AD lookup, so this rule is more efficient.

Thanks for your reply;

What about the "Network Access·AuthenticationIdentityStore" condition? What do you think?

Thanks

Regarding "Network Access·AuthenticationIdentityStore", that would be an additional optimisation for ISE, since this is an internal flag set by ISE to inform us how the Authentication was done. If during AuthZ you know whether Internal Users were used or External Lookups, you might be able to optimise your AuthZ conditions - e.g. if your AuthZ Rules are a mix and match of different things, where some apply to AD AuthN and some apply to Internal User AuthN, then you could make Network Access·AuthenticationIdentityStore part of the Condition. If you didn't do this, then ISE would have to brute force execute all the AuthZ Rules until it finds a match, checking things that make no logical sense, based on the AuthN that happened previously.

Honestly, I have never used this and perhaps I should, but I think it would be helpful in very busy ISE nodes, and one might also just think about re-factoring the Policy Sets to ensure they are organised to prevent this from happening in the first place. My top tip is to think of Policy Sets as a binary tree - try splitting the tree into logical branches as soon as possible, and avoid re-testing things you already tested before (e.g. only check the SSID once and then branch off, and use that as a context for further processing).

People who make one long Policy Set and then test for all possible conditions can learn a thing or two from computer scientists/programmers way of thinking.