03-07-2018 10:44 PM - edited 03-26-2024 03:46 AM
Hi Guys,
I need to configure an backup identity store( actually the local database of the ISE ) , but it should be used only in case when the primary (in this case Active Directory) fails.The users in the local database should not be usable if the AD is reachable . Is this possible ?
Solved! Go to Solution.
03-08-2018 11:38 AM
Hi Stoyan,
There is another option in Identity store sequence at the end to deal with the situation when ID store is not accessible.
Have you tried this?
-Krishnan
03-07-2018 10:52 PM
Yes out all identify sources in an identity source sequence
Assign the source sequence to your flow
Sent from my iPhone
03-07-2018 11:37 PM
when Identity Source Sequence is created , ISE will go through the chosen Identity stores in the order they are placed until it hits a match , much like an ACL behavior . When that match is hit it will stop the sequence of lookups
e.g
In above snap shot , if you were to chose AD1 as first identity store and then Internal Users as your second , then ISE would search for the user under AD1 and if not found would move on to Internal Users.
Hope thats clear.
03-08-2018 12:09 AM
Thanks for the quick response guys ,but that's doesn't solve my case ... because I want the ISE to use the local database only in situation when the AD is not reachable(fail) . The Identity Source Sequence is configured just like you have suggested , of course ,but in this situation there will be users in the local database that will always have an access , even if the AD is up, and I don't wont that.
03-08-2018 01:43 AM
sounds like you have same accounts on both internal and AD data base .
In that case ISE does not support this option.
03-08-2018 01:51 AM
No , the accounts are different , but I want the accounts from local store to be usable only if the primary id store fail(in my case the AD and the ISE are not in the same location and sometimes there are connectivity issues ). There are options in the authentication policies ( continue ,reject and drop ) , but when I tried to configure it with them , they doesn't work like I expected .
03-08-2018 03:47 AM
ISE does not support this , if you feel this is a feature that is need I recommend you contact your Cisco representative with your use case.
03-08-2018 11:38 AM
Hi Stoyan,
There is another option in Identity store sequence at the end to deal with the situation when ID store is not accessible.
Have you tried this?
-Krishnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide