I am using EAP-TLS auth policy and using machine and user authorization policies. The machine authorization works fine but user authorization does not work as describe below.
I have user and machines in the same security group. I have different vlan and assigning vlan as per security group memeberhship. Like HR users and computers are part of HR security group.
My machine auth is working fine but when users login then its not switching to User auth policy as the reason is that both are part of same security group. How can I make this working so that it should switch to user auth policy as I need it for Admin users so that when they login they will get Vlan that is for Administrators.
Solved! Go to Solution.
You should create an additional authorization rule positioned above the existing rule, matching the admin users group. Assign your permissions (vlan) as you require. When an admin user now connects they should match this rule and not your existing rule. Computers and non-admin users would still match the existing rule
What if management vlan user connects to computer authorized in HR vlan?
I want to have a rule that performs dynamic reauthorization.
I don't have access to ISE to hand, to confirm...but I imagine you could select VLAN ID as a condition for your authorization rule. Eg. "Admin Group" AND "HR vlan id".
The vlan assignment is not the issue. My issue is that my machine authentication works but my user authentication doesnt work because both are in same security group. I need some radius value for authorization that differentiates that user is loggin on now machine authorization policy should be switched to User authorization policy.
You need something for ISE to be able to distinguish the difference between a user and a computer, if they are in the same group that isn't going to work.
The obvious thing to do would be to create another group and add either the users or computer. Or you could just rely on the default AD groups, for example all domain join computers are members of "Domain Computers". Therefore create an AuthZ rule If "Domain Computers" AND "whatever group you've created", then the other AuthZ rule should only match for users.
One more thought came to my mind and I guess it should work.
I have a computer policy that is authorizing HR users to vlan 100 based on security group of HR from AD and only HR users and computers are part of that.
Now I have another authorizing policy for Admin and Admins users and their computer is part of that.
When HR computer boots up it gets Vlan IP from HR Vlan but when Admin login to it then it should change the vlan and get the IP address from Admin vlan.
I am trying this scanrio but its not working. I am using EAP-TLS for Authentication
Yes, you can use the host/ AND group name for the computer AuthZ rule. You shouldn't need to do anything special for the users AuthZ rule if the computer rule is placed above the user AuthZ rule.
One of thing I found out is that my username and certifcate used to username is different. The username is generic number like 24456 and certicate is issued to first name and last name so I can see the error
Identity resolution failed - ERROR_NO_SUCH_USER error as ISE is checking my first name and last name which is not in AD rather is 24456.