topic Re: ISE Authorization Rule in Network Access Control

ISE Authorization Rule

NETAD — Fri, 21 Feb 2020 18:46:33 GMT

Hello, what would be a good authorization rule to authorize PCs to be imaged. They’re not on the domain and they will be applied a dacl that gives access to the imaging server and internet only. I’m trying to distinguish it from the default authorization policy which matches anything and gives Internet access only.

Re: ISE Authorization Rule

Rob Ingram — Fri, 23 Feb 2018 20:00:37 GMT

Hi, You could create an Endpoint group, add the MAC addresses of the machines to be imaged to that group and then create an AuthZ rule allowing only that Endpoint group access to the Imaging server and the internet via the DACL.

You could create a MyDevices portal to allow staff only the ability to add mac addresses to the group.

HTH

Re: ISE Authorization Rule

NETAD — Fri, 23 Feb 2018 20:05:00 GMT

Thanks RJI, now this fine but would require us to manually enter the mac addresses everytime a PC needs to be re-imaged. Do you recommend any other way?

Re: ISE Authorization Rule

Rob Ingram — Fri, 23 Feb 2018 20:13:23 GMT

Well you need the machine to not match your existing AuthZ rules, most ideas I come up with require you to have some manual intervention.

- You could add the computer to an AD group for re-imaging purposes, if AuthZ rule matches then allow access to the Imaging server. You'd place that rule above the normal AuthZ rule though.

- If you are re-imaging a current machine, if you disabled the machine in AD you could create a rule to match on account disabled and apply an AuthZ rule allowing access to the imaging server. I can think of reasons why you wouldn't want to do that.

- If your desktop team image machines from a specific vlan you could match on the vlan the machine is connecting from and allow access to the imaging server.

Re: ISE Authorization Rule

NETAD — Fri, 23 Feb 2018 20:29:00 GMT

The vlan option is actually what I’m looking for but I didn’t know that’s possible. I thought ISE could drop them into a vlan but not authorize based on a vlan. What radius attribute should I use yo get that accomplished?

Re: ISE Authorization Rule

Rob Ingram — Fri, 23 Feb 2018 21:17:23 GMT

Using the vlan as part of a condition is only supported in IBNS2.0 configuration on the switches, if you are using that you could specify "Tunnel-Type" or "Tunnel-Private-Group-ID".

If you are using IBNS 1.0 configuration on the switches, perhaps you could use the "NAS-IP-Address" - assuming that the machines are re-imaged from a certain switch?

Re: ISE Authorization Rule

NETAD — Fri, 23 Feb 2018 21:30:24 GMT

How can I tell which IBNS version I'm running?

Re: ISE Authorization Rule

Rob Ingram — Fri, 23 Feb 2018 21:39:05 GMT

If the interfaces on your switches have the following commands similar to below, then you are using IBNS 1.0

interface GigabitEthernet1/0/1
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto

If you are using IBNS 2.0 you would have class and policy maps defined globally and not the interface level commands above.

Re: ISE Authorization Rule

NETAD — Fri, 23 Feb 2018 21:41:12 GMT

hmm ok yea then IBNS 1.0. Thanks for your help on this. I will try NAS-IP-Address and hope that they will image from just one switch.

Re: ISE Authorization Rule

NETAD — Sat, 24 Feb 2018 00:43:21 GMT

Hey RJI, can I bother you with one more thing? I'm trying to get dot1x working in my lab but I'm struggling a little. I have a win7 machine joined to a domain with a GPO enforcing dot1x PEAP with MSCHAPv2 and the dot1x service is started but the authentication request keeps missing the dot1x authentication policy for some reason and decides to do MAB instead. I attached my configs and debugs. Can you take a look and let me know if I'm missing something or something is missconfigured somewhere.