Solved: ISE - AAA radius authentication for NAD access

vvvnnnzzz · ‎07-13-2012

Hi ,

I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy

for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .

While testing the login access to the switches we've come up with 2 results :

1.A domain user can indeed login to the switch as intended.

2.Every domain user which exists in the AD indentity source can login , this is an undesired result .

So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou

of the IT_department only .

I haven't been successfull , would appreciate any ideas on how to accomplish this .

Switch configurations :

=================

aaa new-model

!

aaa authentication login default group radius local

!

ISE Authentication policy

==================

!

Policy Name : NADs Authentication

Condition: "DEVICE:Device Type Equals :All Device Types#Wired"

Allowed Protocol : Default Network Access

use identity source : AD1

!

Tarik Admani · ‎07-13-2012

No problem that is how I configure the policies, please remember to rate any helpful feedback after you are finished with your testing.

Thanks,

Tarik admani

View solution in original post

Tarik Admani · ‎07-13-2012

Hi,

You need to add another condition to you current authorization policy which looks for the AD:ExternalGroup and set that equal to your OU in AD. Click the plus button in the current policy to add another conidition to this policy.

vvvnnnzzz · ‎07-13-2012

Hi,

Your are refering to the authorization policy whereas I do not ( i am talking about the authentication ) , the moment i get the prompt of the switch for username+pass and i am using a correct domain user i will be granted access , the authorization policy doesnt come in effect here , am I wrong ?

At this specific case i am not trying to authorize the user to a specific network vlan or envirounment but to only control the users allowed to admin the switch .

Tarik Admani · ‎07-13-2012

That is correct, you can not limit authentication to a specific group of users, only the database they reside in. It is up to the authorization policy then to find what group they are a member of and then give the configured access.

Thanks,

Tarik admani

vvvnnnzzz · ‎07-13-2012

Thank you for the quick replys , and now ok , I've configured the following authorization policy :

Rule Name : Nad Auth

Conditions

if: Any

AND : AD1:ExternalGroups EQUALS IT_Departments

Permissions , then PermitAccess

What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .

How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

Tarik Admani · ‎07-13-2012

Do not worry about the condition on the left since those are for the internal endpoint and user database. you will use the original policy you pasted but click the and combine it with the AD external group so that when both conditions succeed you will then get the result you referenced in the policy.

Thanks,

Tarik Admani

vvvnnnzzz · ‎07-13-2012

I think i understood your idea , I've added the same group as a condition and combined with the AD:external groups

and that should do the work .

I've attached a screenshot to display the conditions I've set

now all that remains is to test it on site , since this is a limited lab envirounment .

thanks,

Tarik Admani · ‎07-13-2012

No problem that is how I configure the policies, please remember to rate any helpful feedback after you are finished with your testing.

Thanks,

Tarik admani