Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4106
Views
5
Helpful
4
Replies

Access policy for MyDevices Portal

Go to solution
vigogne
Level 1
Level 1

‎03-23-2021 10:59 PM

Tell me please. Is it is possible to create an access policy for the MyDevices portal to allow access only to a certain group in AD?
At the moment, I have done this way:

In the Identity Source Sequences at MyDevice_Portal_Sequence I left "Internal Users" Identity Source only. Then I added the Network Access User with the same name as in the AD Database and password type as AD Sequence.

It works, but it is very inconvenient and not flexible.

 

And second question. How can I modify MyDevices Portal for add in standard form combo-box with selecting endpoint group?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎03-25-2021 10:14 PM

Hi,

 

You can post your query in the below community channel:

 

 https://community.cisco.com/t5/network-access-control/bd-p/discussions-network-access-control

 

Cheers,

Pratham

View solution in original post

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to vigogne

‎07-11-2021 10:30 PM

Hi @vigogne  and @ppreenja 

 

I have not scanned the Community questions in a little while and this one passed me by. But I have a solution for you. Did you find a solution in the end?

 

It so happens that I saw this work in a customer and it's quite unbelievable.

 

The trick is to tell the MyDevices Portal to NOT use AD or ISE Local users as the Authentication source, but use ISE Loopback addresses instead.  WHAT? ISE has loopback addresses as an Identity Source?  No, not by default, but this is where the hack starts.

 

Create a Loopback by defining ISE as a "RADIUS Token Server" - you're telling ISE that there is a token server (which is itself … max up to 2 servers can be defined.

 

The RADIUS shared secret must be the same as the shared secret mentioned further below … it's not used anywhere else other than here (in the token server definition) and later on, in the ISE NAD definition.


Then use that ISE Loopback definition to modify the standard My Devices Sequence

 

Hilarious isn't it You have to create RADIUS Clients (NAD) definitions for each of the token servers (which in production would be most likely dedicated PSN nodes) - create a new Device TYPE called ISE_MyDevicesPortal (or whatever) and then use the same RADIUS shared secret as used before in the Token server definition. 

 

I have some screenshots but they are taken from a customer setup  -I have not sanitised them for this Community - but I think you should be ok with the information above.

 

The bottom line is that with this hack, The My Devices Portal will cause ISE to make RADIUS requests to ITSELF and you can catch these requests in the standard Policy Set.

 

Let me know how you get on

View solution in original post

4 Replies 4

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎03-25-2021 10:14 PM

Hi,

 

You can post your query in the below community channel:

 

 https://community.cisco.com/t5/network-access-control/bd-p/discussions-network-access-control

 

Cheers,

Pratham

0 Helpful

Go to solution
vigogne
Level 1
Level 1

‎03-25-2021 10:46 PM

Thank you! Perhaps this is what I will do )

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to vigogne

‎07-11-2021 10:30 PM

Hi @vigogne  and @ppreenja 

 

I have not scanned the Community questions in a little while and this one passed me by. But I have a solution for you. Did you find a solution in the end?

 

It so happens that I saw this work in a customer and it's quite unbelievable.

 

The trick is to tell the MyDevices Portal to NOT use AD or ISE Local users as the Authentication source, but use ISE Loopback addresses instead.  WHAT? ISE has loopback addresses as an Identity Source?  No, not by default, but this is where the hack starts.

 

Create a Loopback by defining ISE as a "RADIUS Token Server" - you're telling ISE that there is a token server (which is itself … max up to 2 servers can be defined.

 

The RADIUS shared secret must be the same as the shared secret mentioned further below … it's not used anywhere else other than here (in the token server definition) and later on, in the ISE NAD definition.


Then use that ISE Loopback definition to modify the standard My Devices Sequence

 

Hilarious isn't it You have to create RADIUS Clients (NAD) definitions for each of the token servers (which in production would be most likely dedicated PSN nodes) - create a new Device TYPE called ISE_MyDevicesPortal (or whatever) and then use the same RADIUS shared secret as used before in the Token server definition. 

 

I have some screenshots but they are taken from a customer setup  -I have not sanitised them for this Community - but I think you should be ok with the information above.

 

The bottom line is that with this hack, The My Devices Portal will cause ISE to make RADIUS requests to ITSELF and you can catch these requests in the standard Policy Set.

 

Let me know how you get on

Go to solution
vigogne
Level 1
Level 1
In response to Arne Bier

‎07-11-2021 11:22 PM

Oh, thank you very much!

I have already been prompted for a similar solution. 

https://community.cisco.com/t5/security-documents/ise-sponsor-amp-my-devices-authorization-on-secondary-attributes/ta-p/3641379

This solution is really from the category of hacking skill )) But it works! 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents