Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1891
Views
0
Helpful
3
Replies

Understanding Authorization Profiles

Go to solution
russell.sage
Level 1
Level 1

‎06-24-2021 09:20 AM

I have a customer solution that has an authorization profile to allow users who register their details access to the internet with their personal devices.

The attached screenshots show the policy works but I can't understand how.

there are no users in the identity group used in the profile.

The users registers via an internal website that communicates with ISE via REST API.

Preview file
20 KB
Preview file
23 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-27-2021 03:16 PM - edited ‎06-27-2021 03:16 PM

This is your Policy Authorization Rule from your picture:

image.png

First condition matches on your SSID containing "MyInternet"

Second condition matches any ISE internal users in the group GuestType_MyInternet.

From your explanation, it sounds like you are adding guest users' Username and Password via REST API to the ISE internal identity group GuestType_MyInternet. This allows them to authenticate to SSID MyInternet so they can connect securely with PEAP rather than an open, unencrypted SSID. I figured this because even though you did not show your authentication policy,  you named your Authorization Result "PEAP/PermitAccess".

To find out exactly Why it is working, simply look at the ISE LiveLogs and click on the details icon next to a Passed Authentication to see all of the details that ISE went through to authenticate and authorize that endpoint including the user, identity store, protocols, authorization result, etc.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
NiTech
Level 1
Level 1

‎06-24-2021 03:11 PM

In this case internal users creates on the internal website and during the time of authentication which will push to ise using API. its like an automated process.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-27-2021 03:16 PM - edited ‎06-27-2021 03:16 PM

This is your Policy Authorization Rule from your picture:

image.png

First condition matches on your SSID containing "MyInternet"

Second condition matches any ISE internal users in the group GuestType_MyInternet.

From your explanation, it sounds like you are adding guest users' Username and Password via REST API to the ISE internal identity group GuestType_MyInternet. This allows them to authenticate to SSID MyInternet so they can connect securely with PEAP rather than an open, unencrypted SSID. I figured this because even though you did not show your authentication policy,  you named your Authorization Result "PEAP/PermitAccess".

To find out exactly Why it is working, simply look at the ISE LiveLogs and click on the details icon next to a Passed Authentication to see all of the details that ISE went through to authenticate and authorize that endpoint including the user, identity store, protocols, authorization result, etc.

0 Helpful

Go to solution
russell.sage
Level 1
Level 1
In response to thomas

‎06-28-2021 12:35 AM

Thomas

Thanks for the reply. I did look at the logs. It states it matched against the conditions in the screenshot. The point of my post was that when you look in the internal identity GuestType_MyInternet there are no entries as seen in the second screenshot. So how is it matching?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents