×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISE - AAA radius authentication for NAD access

Answered Question
Jul 13th, 2012
User Badges:

Hi ,

I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy

for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .

While testing the login access to the switches we've come up with 2 results :

1.A domain user can indeed login to the switch as intended.

2.Every domain user which exists in the AD indentity source can login , this is an undesired result .


So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou

of the IT_department only .

I haven't been successfull , would appreciate any ideas on how to accomplish this .



Switch configurations :

=================

aaa new-model

!

aaa authentication login default group radius local

!

ISE Authentication policy

==================

!

Policy Name : NADs Authentication

Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"

Allowed Protocol : Default Network Access

use identity source : AD1

!

Correct Answer by Tarik Admani about 5 years 1 month ago

No problem that is how I configure the policies, please remember to rate any helpful feedback after you are finished with your testing.


Thanks,

Tarik admani

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Tarik Admani Fri, 07/13/2012 - 06:39
User Badges:
  • Green, 3000 points or more

Hi,


You need to add another condition to you current authorization policy which looks for the AD:ExternalGroup and set that equal to your OU in AD. Click the plus button in the current policy to add another conidition to this policy.

vvvnnnzzz Fri, 07/13/2012 - 06:48
User Badges:

Hi,

Your are refering to the authorization policy whereas I do not ( i am talking about the authentication ) , the moment i get the prompt of the switch for username+pass and i am using a correct domain user i will be granted access , the authorization policy doesnt come in effect here , am I wrong ?

At this specific case i am not trying to authorize the user to a specific network vlan or envirounment but to only control the users allowed to admin the switch .

Tarik Admani Fri, 07/13/2012 - 06:52
User Badges:
  • Green, 3000 points or more

That is correct, you can not limit authentication to a specific group of users, only the database they reside in. It is up to the authorization policy then to find what group they are a member of and then give the configured access.


Thanks,

Tarik admani

vvvnnnzzz Fri, 07/13/2012 - 07:03
User Badges:

Thank you for the quick replys , and now  ok , I've configured the following authorization policy :

Rule Name : Nad Auth

Conditions

if: Any

AND : AD1:ExternalGroups EQUALS IT_Departments

Permissions , then PermitAccess


What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .

How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

Tarik Admani Fri, 07/13/2012 - 07:09
User Badges:
  • Green, 3000 points or more

Do not worry about the condition on the left since those are for the internal endpoint and user database. you will use the original policy you pasted but click the and combine it with the AD external group so that when both conditions succeed you will then get the result you referenced in the policy.


Thanks,

Tarik Admani

vvvnnnzzz Fri, 07/13/2012 - 07:17
User Badges:

I think i understood your idea , I've added the same group as a condition and combined with the AD:external groups

and that should do the work .

I've attached a screenshot to display the conditions I've set


now all that remains is to test it on site , since this is a limited lab envirounment .

thanks,

Correct Answer
Tarik Admani Fri, 07/13/2012 - 07:22
User Badges:
  • Green, 3000 points or more

No problem that is how I configure the policies, please remember to rate any helpful feedback after you are finished with your testing.


Thanks,

Tarik admani

Actions

This Discussion

Related Content