topic Re: Identifying first time corporate login to network in Network Access Control

Identifying first time corporate login to network

eddiem — Thu, 07 Sep 2017 23:45:33 GMT

Here is an interesting ISE network access requirement I wanted to run by the experts. The requirement is to force a new corporate user through a captive portal to read and accept the corporate internet use policy. The customer is a heavy Microsoft/AD shop and has the capability to write ADSI scripts to modify AD on the fly or perhaps even using ISE EPS APIs. So given that, is this the best option?

ISE wired and wireless policy has an authZ rule that states if user belongs to ‘Unsigned_AUP’ AD group, they get restricted access and redirected to the AUP captive portal.
After new corporate user reads and signs the AUP, this captive portal has ADSI scripting to drop the respective user from the ‘Unsigned_AUP’ AD group.
The same captive portal script uses ISE EPS API to bounce (CoA) the user off of the network. When the user logs back in, the will no longer be in the 'Unsigned_AUP' group and will fall into whatever desired authZ rule.

The piece I’m not sure on is how the user gets bounced in step 3. In the typical guest or BYOD flow, the portal is running on an ISE node, so ISE knows how to reach the PSN to CoA the user. But in this flow the customer owns this ‘New user captive portal’. What ISE node would this EPS API talk to to CoA the user, MnT?

Thanks in advance

Re: Identifying first time corporate login to network

Craig Hyps — Fri, 08 Sep 2017 00:27:42 GMT

Eddie,

The can call the REST API against ISE MNT node to retrieve session info and trigger CoA. Another option is to simply have them accept AUP in ISE or link to external AUP from a CWA/Hotspot page which also flags AUP accept in ISE. This too will trigger CoA upon completion to allow different policy to be hit if authorization result different.

Craig

Re: Identifying first time corporate login to network

eddiem — Fri, 08 Sep 2017 04:34:12 GMT

Thanks Craig, That helps. Can I assume if we used ISE for the AUP, we'd still need some external source to tell us if the user was a first time login using the AD group I mentioned above? Otherwise I'm not sure how ISE would know it was the first time that user logged into the network. We can't use the endpoint MAC because the PC may be recycled from previous user.

Re: Identifying first time corporate login to network

Craig Hyps — Fri, 08 Sep 2017 05:05:44 GMT

AUP is flagged to the endpoint, not user, but you may be able to combine your external AUP (link to it from CWA login page) and rely on local CoA from ISE to pick up the change in AD. For example:

Rule 1 - If EAP success and AD:AUP flag = true, then Permit

Rule 2 - If EAP success and AD:AUP flag = false, then CWA_AUP (or Hotspot AUP)

/Craig

Re: Identifying first time corporate login to network

hslai — Fri, 08 Sep 2017 05:19:34 GMT

If the customers mainly need users to ack access to an AD computer, it might not need to use ISE to enforce it at all. I am thinking to use login script to check some windows registry or the like and pop up a modal windows if not yet set to the ack'ed value, etc.

Re: Identifying first time corporate login to network

eddiem — Fri, 08 Sep 2017 15:52:40 GMT

Thanks Hsing. Although customer is a heavy Microsoft shop, we're not sure if all endpoints will be Windows so wanted to suggest a solution that leveraged network access and worked for non-Windows endpoints.

Re: Identifying first time corporate login to network

gbekmezi-DD — Fri, 08 Sep 2017 16:11:20 GMT

How about something like this (though this is endpoint constrained vs user constrained:

1. User with endpoint not previously seen logs in.

2. Check if endpoint is in identity group EUP-Signed (for example)

3. If in identity group, then allow access

4. if not in identity group, then redirect using a hotspot portal with EUP. Have that hotspot portal place the endpoint in the EUP-Signed identity group once the user accepts the EUP

If you want the policy bound to a user, maybe you can do something with AD groups or a user attribute in AD using an external EUP portal. Once the user accepts the EUP, the portal adds the attribute to the user in AD and then generates a COA for the session.

George

Re: Identifying first time corporate login to network

eddiem — Fri, 08 Sep 2017 16:20:52 GMT

Thanks George, The customer has plenty of wired/shared desktops. Therefore the solution needs to be focused on the user, not the endpoint. Since customer has skilled IT staff willing to write scripting to dynamically update AD, we thought using an AD group to track first time logins would be effective.