topic Hi Andy, in Network Access Control

ISE Endpoint Identity Group assignment for 802.1x clients

andrewswanson — Mon, 11 Mar 2019 05:23:47 GMT

Hello

I'm using ISE 1.3 to 802.1x authenticate AD PC's (machine and user with Anyconnect NAM) and to profile/mab IP Phones, printers, APs etc.

Phones are profiled (EndPointSource of SNMPQuery Probe) and are placed automatically in the correct Identity Group.

AD PC's aren't profiled and are listed under Endpoints withthe Enpoint Profile of "unknown"

To place AD PC's into a particular Identity Group, I created a Radius Profiling Policy to match on the Framed-IP-Address. This works well with the AD PC appearing in the correct Identity Group (with EndPointSource of RADIUS Probe).

My questions are:

A phone (profiled with EndPointSource of SNMPQuery Probe) consumes a Plus licence but an AD PC ("profiled" with EndPointSource of RADIUS Probe) does not - is this correct?
Authenticated 802.1x AD PC's have other attributes (like AD-Host-Resolved-DNs) that I'd like to use to assign PC's to an Identity Group. I can't use these attributes with any of the ISE profilers - is there a way to assign an 802.1x authenticated client to an Identity Group at the authorisation stage rather than use the profiler?

Thanks
Andy

Hi Andy,

derrick.ray1 — Tue, 04 Oct 2016 16:54:23 GMT

Hi Andy,

Were you able to figure this out?

Hi Derrick. No, I was moved

andrewswanson — Wed, 05 Oct 2016 06:25:15 GMT

Hi Derrick. No, I was moved off this work and didn't get it resolved. I'll be looking at ISE again soon so I'll post any findings.

Cheers

Andy

The phone consumes a Plus

Joseph Johnson — Wed, 05 Oct 2016 14:37:17 GMT

The phone consumes a Plus license because you are using a profile to authenticate/authorize the connection. Technically, the PC consumes a Plus license as well but only during the profiling process. It is released after profiling if you do not use the profiling information in an authorization rule.

Endpoint groups are based on profiling or guest assignment (which is kind of like the probe based profiling). I have not seen any way to assign a 802.1x authenticated device to an endpoint group outside of profiling.

ISE 2.1 has an AD profiling probe built in if you want to build an endpoint group based on the AD join point of the PC. It was not available in previous ISE releases. You can use that to profile AD joined computers and automatically add them to an endpoint group. You can find more information here:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200553-Configure-ISE-2-1-Profiling-Services-bas.html

Using that and the resulting endpoint group in an authorization rule would consume a Base and Plus license (base for authentication, Plus for the profiling based authorization).