topic Re: Wrong authorization profile due to bad identification in Network Access Control

Wrong authorization profile due to bad identification

CorpNetwork — Mon, 28 Oct 2024 12:54:29 GMT

Hello,

Curios to know if anyone else had this issue. Computers are configured to authenticate using machine cert. Identity configured in

"Certificate Authentication Profile" set to SAN. I have ISE joined to two domains and I'm using Identity source sequence. For some reason, some computers from domain1 get authorization profile for domain2. Looking at the logs I see that ISE has different info for SAN & AD-Host-Resolved-Identities.

Re: Wrong authorization profile due to bad identification

Cristian Matei — Wed, 30 Oct 2024 13:56:10 GMT

Hi,

Authentication and authorization are separate policies from ISE perspective; as I understand, your challenge to fix is that computers from AD1 match authorization profile of AD2; to fix it, you just need smarter condition within your authorization, based on AD groups & domain or SAN values.

Best,

Cristian.

Re: Wrong authorization profile due to bad identification

wsteele@conres.com — Thu, 31 Oct 2024 17:24:25 GMT

Keep in mind it is going to work top down. If ISE finds a reference in the 1st domain it will try to authenticate it. Does any type of trust exist between the 2 domains. ISE deployments can support multiple certificate chains and profiles but each node can only support a single cert for EAP. Are the devices from both domains using the same Network Access Devices?

Re: Wrong authorization profile due to bad identification

CorpNetwork — Fri, 01 Nov 2024 08:16:58 GMT

Thank you for your reply. There is no trust between domains (had but got removed). ISE is joined to both domains. Clients are using the same NAD. I don't experience this with all clients. Based on the attached logs (pictures) you can see ISE is "confused" on what device is connected to that port

Re: Wrong authorization profile due to bad identification

CorpNetwork — Fri, 01 Nov 2024 08:20:35 GMT

@Cristian Matei Look at picture ISE2.png attached to the initial post and tell me what you understand from it. Why is the "resolving identity W11-5006650 from AD1 when the actual machine is called WH5011879 (member of the other domain).

Multumesc 🙂

Re: Wrong authorization profile due to bad identification

Aref Alsouqi — Fri, 01 Nov 2024 09:29:02 GMT

Please share your sanitized authentication and authorization policies for review. The issue could be caused by some loose conditions on the policies and also it would depend on the attributes parsed from the endpoints certificates.

Re: Wrong authorization profile due to bad identification

CorpNetwork — Fri, 01 Nov 2024 13:10:25 GMT

Hi Aref.

See attached files

Re: Wrong authorization profile due to bad identification

Aref Alsouqi — Fri, 01 Nov 2024 15:25:07 GMT

Thanks. I would try to do these two things, first, I would remove the internal endpoints from "AD1_Internal_copy" identity sequence, second, I would add the identity sequence to the certificate profile. If you are using this identity sequence in other authentication rules and you don't want to change it because of that, then you can clone it and apply the changes only on the interested authentication rule.

Re: Wrong authorization profile due to bad identification

CorpNetwork — Wed, 16 Apr 2025 10:12:42 GMT

Hello. Short update 🙂 We encountered this problem again while moving from PEAP to EAP-TLS. Long story short, I believe this was caused by MAR- setup with the maximum 1 year cache.