topic Ise block rogue domain in Network Access Control

Ise block rogue domain

williamtan — Wed, 20 Nov 2019 05:07:52 GMT

I have implement ise and enabled ise posture at client environment. Policy rule configured as if domain id and posture status pass will get full access.

What if someone setup a laptop with same domain and pass posture, will he able to access network with full access? How to prevent this?

Re: Ise block rogue domain

Francesco Molino — Wed, 20 Nov 2019 05:24:40 GMT

Hi

Not sure i your reques.
You configured some posture policies for domain computers.
If someone comes in with a domain computer and matches all prerequisites to get a compliant posture status, it will get access to the network.
Can you detail a little bit please what rules did you put in place and what use-case you want to avoid (deny access to the network)?

Re: Ise block rogue domain

Colby LeMaire — Wed, 20 Nov 2019 14:25:12 GMT

Your request is hard to understand. It would help if you post a screenshot of your rule/rules.

I assume you created a posture policy to check a registry key that shows their domain and if it is there and matches your domain, then they pass posture and get access. In that case and assuming they pass authentication first, then yes, anyone could modify their registry to get in if they know what you are checking for.

The key is to authenticate their machines before they even get to posture. If you use PEAP machine authentication, then they will only pass authentication if they are truly joined to the domain. If you use EAP-TLS and machine certificates, then that machine would need to have a valid certificate assigned to it to pass authentication. If you issue certificates from your domain/Microsoft CA, make sure the certificate template is configured to not allow exporting of the certificate. That way, they can't move the certificate from a work computer to another rogue computer.

If that didn't answer your question, then please clarify and post screenshots of your rules.

Re: Ise block rogue domain

williamtan — Wed, 20 Nov 2019 15:56:48 GMT

Above is the policy rule I created, if posture status equal compliant and domain user then will get full access. For the posture rule, I just checked the trend micro version and definition date.

My question is, if i'm not a staff but i know the domain and user password. I setup an AD which same name with client example abc.com, then i joined my laptop to my domain. I connect my laptop to client network and I would be able to get access right?

Re: Ise block rogue domain

Colby LeMaire — Wed, 20 Nov 2019 19:07:02 GMT

That is not correct that if you use your abc.com user account since within each domain, the user account has a Security Identifier (SID) that would be unique. But I also think that you are over-thinking the situation. With the rule you attached, you could just use your account (username/password) that you were issued by your client and login to their network using a rogue laptop. So when you get prompted for credentials during network connection, you put your client credentials in such as username@client.com and assuming the password is correct, then you would be redirected for posture. If you have the Anyconnect posture client installed and your posture status is compliant, then yes you would get access.

That is why I always recommend doing machine authentication at a minimum. User authentication isn't always necessary unless you need to differentiate access on the network based on who the user is.

Re: Ise block rogue domain

williamtan — Fri, 29 Nov 2019 02:39:35 GMT

If only enable machine authentication, then everyone who access the endpoint will have full access to network. I have implemented NAM module and using EAP chaining to authenticate machine and user before. But endpoint with Windows 10 will facing connection issue every time when have new Windows patch.

Re: Ise block rogue domain

Colby LeMaire — Fri, 29 Nov 2019 03:41:40 GMT

But the endpoint has its own authentication system to prevent unauthorized users from logging in to the endpoint, correct? Also, any resources on the network such as file shares, e-mail servers, etc. will all have their own authentication for users, right? So what are you gaining by authenticating the user before you allow network access at all? The real concern is the machine/device and making sure it isn't a rogue device that could be infected or running malicious tools.