topic Re: How to block one client in ISE? in Network Access Control

How to block one client in ISE?

tonyang — Sun, 30 Jul 2023 13:56:59 GMT

I am implementing 802.1x authentication for Wireless and Wired networks. May I ask how to block the client in ISE ? Is it possible to add the client mac into blacklist in ISE ?

Re: How to block one client in ISE?

Rob Ingram — Sun, 30 Jul 2023 15:16:40 GMT

@tonyang you can add the MAC address to the predefined identity group called "blocklist" and then create an authorisation rule to block devices in that group connecting. Example: https://community.cisco.com/t5/security-knowledge-base/ise-authentication-and-authorization-policy-reference/ta-p/3850472#toc-hId--2143165211

Re: How to block one client in ISE?

MHM Cisco World — Sun, 30 Jul 2023 15:28:34 GMT

You use 802.1 not mab ?

Re: How to block one client in ISE?

MHM Cisco World — Sun, 30 Jul 2023 15:31:11 GMT

You are correct but which attributes of 802.1x have mac of user ?

If he use mab then username is mac and he can use it to bulid blacklist but for 802.1x I think he need command in NAD to send mac of user as attribute with 802.1x radius traffic.

Re: How to block one client in ISE?

MHM Cisco World — Sun, 30 Jul 2023 21:54:10 GMT

Radius server attribute 31 <<- this need in SW

And then config blacklist in ise condition call-station mac.

Re: How to block one client in ISE?

Rob Ingram — Sun, 30 Jul 2023 15:51:26 GMT

The MAC address is not required to be used for authentication, you implement this blocklist during authorisation where the authenticating user is connecting from a MAC address that is a member of the blocklist endpoint identity group and subseuqently denied access.

Re: How to block one client in ISE?

MHM Cisco World — Sun, 30 Jul 2023 15:59:32 GMT

How ISE know mac address ?

Re: How to block one client in ISE?

Rob Ingram — Sun, 30 Jul 2023 19:38:19 GMT

@MHM Cisco World the MAC address is learnt via DHCP or RADIUS. ISE uses the MAC address to create an entry in the Endpoint database. You do not need to use MAC authentication (MAB) to block a client. When processing the connection, ISE will know the endpoint MAC address and authenticating username (amongst other attributes), the MAC address can be used as a condition in an authorisation rule, usually when referenced in an endpoint identity group (as per the example provided), you can then deny/permit as required.

@tonyang another option (if required) you could create an AD group called i.e., "Blocked Users", then create an exception rule that denies users connections if a member of that group.

Re: How to block one client in ISE?

Arne Bier — Sun, 30 Jul 2023 21:44:38 GMT

@mhmd - the client's MAC address is contained in the Calling-Station-ID

Re: How to block one client in ISE?

MHM Cisco World — Sun, 30 Jul 2023 21:53:43 GMT

https://mrncciew.com/2013/07/22/called-calling-station-id/

But are attribute 31 is by defualt send by sw or wlc for 802.1x supplicant?

Re: How to block one client in ISE?

tonyang — Tue, 01 Aug 2023 04:40:05 GMT

Thank you, Rob.

I implement the block list in the authorization policy. I just implement radius protocol in the authentication policy. And move the block list to the top among multiple authorization conditions.

Re: How to block one client in ISE?

tonyang — Tue, 01 Aug 2023 06:15:05 GMT

Thank you, Rob.

May I ask how to define the condition for an exception rule ?

Re: How to block one client in ISE?

Rob Ingram — Tue, 01 Aug 2023 06:32:40 GMT

@tonyang just create an authorization rule (as per the example provided) under either the Policy Set Local Exceptions or Global Exceptions, these rules will be processed prior to the Authorization Policy.

Re: How to block one client in ISE?

tonyang — Tue, 01 Aug 2023 06:42:56 GMT

@Rob Ingram I see where I need to define in local/global exception. But I want to consult with you how to define the condition.

I just created one security group "Workstation Deny Group" in AD. Thank you.

Re: How to block one client in ISE?

Rob Ingram — Tue, 01 Aug 2023 06:49:42 GMT

@tonyang you don't actually need to use the "Security Group", that's only if you are using TrustSec SGTs for enforcement.

In closed mode a deny should suffice, if in open mode then you could just apply a DACL to restrict traffic.

Re: How to block one client in ISE?

tonyang — Wed, 02 Aug 2023 02:46:33 GMT

Thank you, Rob,

I just implemented one local exception to manage the blacklist. And it works smoothly in my environment. I am wondering if I can have alternative to do. Like use AD group (security group) to manage/control.

Re: How to block one client in ISE?

Rob Ingram — Wed, 02 Aug 2023 06:57:29 GMT

@tonyang yes you can (I did already previously suggest that as another option).

Create a group in Active Directory add the user or computer (if just using machine authentication) import that group into ISE. Create the block authorisation rule to reference that ExternalGroup and set deny access (and if necessary a DACL).