07-13-2012 05:46 AM - edited 03-10-2019 07:17 PM
Hi ,
I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
While testing the login access to the switches we've come up with 2 results :
1.A domain user can indeed login to the switch as intended.
2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
of the IT_department only .
I haven't been successfull , would appreciate any ideas on how to accomplish this .
Switch configurations :
=================
aaa new-model
!
aaa authentication login default group radius local
!
ISE Authentication policy
==================
!
Policy Name : NADs Authentication
Condition: "DEVICE:Device Type Equals :All Device Types#Wired"
Allowed Protocol : Default Network Access
use identity source : AD1
!
Solved! Go to Solution.
07-13-2012 07:22 AM
No problem that is how I configure the policies, please remember to rate any helpful feedback after you are finished with your testing.
Thanks,
Tarik admani
07-13-2012 06:39 AM
Hi,
You need to add another condition to you current authorization policy which looks for the AD:ExternalGroup and set that equal to your OU in AD. Click the plus button in the current policy to add another conidition to this policy.
07-13-2012 06:48 AM
Hi,
Your are refering to the authorization policy whereas I do not ( i am talking about the authentication ) , the moment i get the prompt of the switch for username+pass and i am using a correct domain user i will be granted access , the authorization policy doesnt come in effect here , am I wrong ?
At this specific case i am not trying to authorize the user to a specific network vlan or envirounment but to only control the users allowed to admin the switch .
07-13-2012 06:52 AM
That is correct, you can not limit authentication to a specific group of users, only the database they reside in. It is up to the authorization policy then to find what group they are a member of and then give the configured access.
Thanks,
Tarik admani
07-13-2012 07:03 AM
Thank you for the quick replys , and now ok , I've configured the following authorization policy :
Rule Name : Nad Auth
Conditions
if: Any
AND : AD1:ExternalGroups EQUALS IT_Departments
Permissions , then PermitAccess
What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?
07-13-2012 07:09 AM
Do not worry about the condition on the left since those are for the internal endpoint and user database. you will use the original policy you pasted but click the and combine it with the AD external group so that when both conditions succeed you will then get the result you referenced in the policy.
Thanks,
Tarik Admani
07-13-2012 07:17 AM
I think i understood your idea , I've added the same group as a condition and combined with the AD:external groups
and that should do the work .
I've attached a screenshot to display the conditions I've set
now all that remains is to test it on site , since this is a limited lab envirounment .
thanks,
07-13-2012 07:22 AM
No problem that is how I configure the policies, please remember to rate any helpful feedback after you are finished with your testing.
Thanks,
Tarik admani
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide