Adding an ISE rule in an authorization policy set to permit devices based only on IP address (subnet...

Shaan · ‎03-07-2019

Scenario:

I have a MAB policy set where each rule permits a profiler policy/logical profile I’ve defined. Then the last rule is a default deny access.

We have a subnet which we allow guests to connect on, and we want them to get permitted regardless of what device they bring or what endpoint profile it ends up being. So I want to add a rule just before the last rule which would permit any device coming from that subnet – I don’t care what profiler policy it matched. The problem is I can’t figure out a way to get this to work.

What I’ve tried/considered:

Create an “Endstation Network Condition” matching my subnet and use this in the policy rule. This unfortunately doesn’t work when I use a subnet but I noticed that it works if I use MAC addresses, presumably because the Radius Caller Station ID is a MAC address.
Create a condition to match on Radius Framed-IP-Address. This would almost work but the only options ISE gives you are Equals and Not Equals. I’m trying to match a /14 so listing every single IP address out isn’t possible.
Creating a profiler policy with a single check (IP address starts with) and giving it a really high certainty factor to outweigh all other profiler policies. This technically would work but then I’d lose the easy visibility of whether something is a Macbook/Windows Workstation/etc. because the endpoint profile would be getting overridden with this new one. That won’t work for us.
Give those guest ports an interface description like “Guest” and then in ISE use the SNMP probe to see this description and make that into a condition? I haven’t been able to get ISE to pull the interface description though, it just says ifDescr is for example “GigabitEthernet0/1”.

Any ideas on how to accomplish this are appreciated!

Thanks

Shaan

howon · ‎03-13-2019

Can you share what you are trying to solve at a higher level as there may be better ways that using IP address.

IP address is not a good condition to match on. IP addresses are often assigned post-authentication and as you have seen from your test initial authentication request will not have the IP address and cannot be used a authentication condition. Most of the time network device sends IP address in the authentication request is when the endpoint is reauthenticating (Meaning it has been on the network already). In general network devices will send IP in the accounting request post-authentication.

If you can provide business requirement there may be other ways to address the issue. Thanks.

paul · ‎03-13-2019

Part of the problem is your default rule at the bottom shouldn't be a deny access unless you are in a complete whitelist setup. If you are doing profiling of any kind you want to all the devices onto the network in a Limited Access state. The DACL applied would allow them to do DNS (if you want to redirect them to a limited access portal) and access to the ISE PSNs. This will ISE to scan devices with NMAP and SNMP to gather data. Also by letting the device onto the network it will get an IP and you can profile by IP. So the scenario would be (assuming you are running 2.4 patch 6 which fixes the CoA on reprofile issue):

Device attaches and hits limited access rule.
IP is learned by ISE and the device is profiled on guest VLAN.
ISE send CoA on reprofile to ReAuth the user.
User hits the guest VLAN rule.

ldanny · ‎03-14-2019

Heres is a suggestion from another thread

https://community.cisco.com/t5/identity-services-engine-ise/send-interface-description-in-radius-attribute/td-p/3566901

Maybe also worth running some AAA debugs and see what attributes you could perhaps match on.

Adding an ISE rule in an authorization policy set to permit devices based only on IP address (subnet)?