02-11-2020 07:06 AM
We have ISE 2.4 and Palo Alto Firewall admin authentication using RADIUS to ISE. The Palo Alto Admin Web GUI logins are working, but ISE is using our AD store (All_Users_ID_Stores) by default. I want to restrict the Palo Alto firewalls to use the local ISE accounts only, not AD.
I'm still learning ISE and appreciate help with how to restrict Palo Alto devices using RADIUS to use only the local ISE accounts.
I appreciate any help.
Jeff
Solved! Go to Solution.
02-11-2020 07:23 AM
Create a new policy set just for the Palo Alto firewalls. Ensure that the Palo Alto devices are grouped together in their own Network Device Group. The condition for the policy set would be Palo Alto group. Then create your authentication policy rule to only check the Internal Users identity store.
You could also use an existing policy set and just add a new authentication policy rule that looks for the condition of being in the Palo Alto network device group. Then point to the Internal Users identity store.
02-11-2020 07:23 AM
Create a new policy set just for the Palo Alto firewalls. Ensure that the Palo Alto devices are grouped together in their own Network Device Group. The condition for the policy set would be Palo Alto group. Then create your authentication policy rule to only check the Internal Users identity store.
You could also use an existing policy set and just add a new authentication policy rule that looks for the condition of being in the Palo Alto network device group. Then point to the Internal Users identity store.
02-11-2020 04:32 PM
Colby:
That worked and thank you.
Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide