Solved: Re: Restrict RADIUS Device to Local ISE Accounts

jeff6strings · ‎02-11-2020

We have ISE 2.4 and Palo Alto Firewall admin authentication using RADIUS to ISE. The Palo Alto Admin Web GUI logins are working, but ISE is using our AD store (All_Users_ID_Stores) by default. I want to restrict the Palo Alto firewalls to use the local ISE accounts only, not AD.

I'm still learning ISE and appreciate help with how to restrict Palo Alto devices using RADIUS to use only the local ISE accounts.

I appreciate any help.

Jeff

Colby LeMaire · ‎02-11-2020

Create a new policy set just for the Palo Alto firewalls. Ensure that the Palo Alto devices are grouped together in their own Network Device Group. The condition for the policy set would be Palo Alto group. Then create your authentication policy rule to only check the Internal Users identity store.

You could also use an existing policy set and just add a new authentication policy rule that looks for the condition of being in the Palo Alto network device group. Then point to the Internal Users identity store.

View solution in original post

Colby LeMaire · ‎02-11-2020

Create a new policy set just for the Palo Alto firewalls. Ensure that the Palo Alto devices are grouped together in their own Network Device Group. The condition for the policy set would be Palo Alto group. Then create your authentication policy rule to only check the Internal Users identity store.

You could also use an existing policy set and just add a new authentication policy rule that looks for the condition of being in the Palo Alto network device group. Then point to the Internal Users identity store.

jeff6strings · ‎02-11-2020

Colby:

That worked and thank you.

Jeff