cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

808
Views
0
Helpful
3
Replies
russell.sage
Beginner

Understanding Authorization Profiles

I have a customer solution that has an authorization profile to allow users who register their details access to the internet with their personal devices.

The attached screenshots show the policy works but I can't understand how.

there are no users in the identity group used in the profile.

The users registers via an internal website that communicates with ISE via REST API.

1 ACCEPTED SOLUTION

Accepted Solutions
thomas
Cisco Employee

This is your Policy Authorization Rule from your picture:

image.png

First condition matches on your SSID containing "MyInternet"

Second condition matches any ISE internal users in the group GuestType_MyInternet.

From your explanation, it sounds like you are adding guest users' Username and Password via REST API to the ISE internal identity group GuestType_MyInternet. This allows them to authenticate to SSID MyInternet so they can connect securely with PEAP rather than an open, unencrypted SSID. I figured this because even though you did not show your authentication policy,  you named your Authorization Result "PEAP/PermitAccess".

To find out exactly Why it is working, simply look at the ISE LiveLogs and click on the details icon next to a Passed Authentication to see all of the details that ISE went through to authenticate and authorize that endpoint including the user, identity store, protocols, authorization result, etc.

View solution in original post

3 REPLIES 3
NiTech
Beginner

In this case internal users creates on the internal website and during the time of authentication which will push to ise using API. its like an automated process.

thomas
Cisco Employee

This is your Policy Authorization Rule from your picture:

image.png

First condition matches on your SSID containing "MyInternet"

Second condition matches any ISE internal users in the group GuestType_MyInternet.

From your explanation, it sounds like you are adding guest users' Username and Password via REST API to the ISE internal identity group GuestType_MyInternet. This allows them to authenticate to SSID MyInternet so they can connect securely with PEAP rather than an open, unencrypted SSID. I figured this because even though you did not show your authentication policy,  you named your Authorization Result "PEAP/PermitAccess".

To find out exactly Why it is working, simply look at the ISE LiveLogs and click on the details icon next to a Passed Authentication to see all of the details that ISE went through to authenticate and authorize that endpoint including the user, identity store, protocols, authorization result, etc.

View solution in original post

Thomas

Thanks for the reply. I did look at the logs. It states it matched against the conditions in the screenshot. The point of my post was that when you look in the internal identity GuestType_MyInternet there are no entries as seen in the second screenshot. So how is it matching?

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel