Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
855
Views
0
Helpful
4
Replies

can ISE control traffic goes out from remote server after user make RDP on that server

Go to solution
engahmedsaied
Level 1
Level 1

‎08-26-2017 03:18 PM

What I know when user log to his machine which connected to switch port, ISE will push authorization profile which contain dACL so it will set permission to traffic goes from that port.

but if user make RDP on a remote server can ISE control traffic goes out from that remote server depending on user who make RDP on that server ?! or it will control only traffic initiated from first user.

for any point not clear please let me know.

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to engahmedsaied

‎08-27-2017 04:47 AM

I am not sure what happens if the server is running 802.1x and you RDP to it.  I have never tested to see if the User that logs in can trigger a User Auth 802.1x session with the switch.  I rarely run 802.1x on the servers and never to ISE on the datacenter switches.

In theory if you are running ISE on the switch where the server is connected, the server is configured to do 802.1x and the RDP session triggers a User based 802.1x authentication then you would be able to trigger a DACL for that user. 

This should be easy for you to test.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
engahmedsaied
Level 1
Level 1

‎08-27-2017 12:46 AM

Hello,

Appreciate your ideas

Thanks.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to engahmedsaied

‎08-27-2017 04:47 AM

I am not sure what happens if the server is running 802.1x and you RDP to it.  I have never tested to see if the User that logs in can trigger a User Auth 802.1x session with the switch.  I rarely run 802.1x on the servers and never to ISE on the datacenter switches.

In theory if you are running ISE on the switch where the server is connected, the server is configured to do 802.1x and the RDP session triggers a User based 802.1x authentication then you would be able to trigger a DACL for that user. 

This should be easy for you to test.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎08-27-2017 04:59 AM

Exactly, to have ise dynamic controls such as applying acls or tags you will need to have the switchport of the host that needs control be managed by ise

0 Helpful

Go to solution
engahmedsaied
Level 1
Level 1
In response to paul

‎08-28-2017 02:53 AM

Thank you Paul,

I agree with you that servers and Data Center should be out from ISE, I have tested that, when a user try to make RDP connection on remote server, he will be authenticated and will work normally as per authorization profile which pushed on that port according to user who made RDP on that server and login.

but when try to login with another user and his password was expired and user see anyconnect message to tell him enter old and new password but he did not enter anything, after a few minutes session will be dropped, ISE will shows in his log that user try to login with expired password. by this connection to remote server is dropped.

you must unplug and plug cable again to let remote server be authenticated and authorized through machine authorization rule. so this is not stable, so I think it is not recommended to do that, first it will work but there will be issues when we try different situations.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents