08-26-2017 03:18 PM
What I know when user log to his machine which connected to switch port, ISE will push authorization profile which contain dACL so it will set permission to traffic goes from that port.
but if user make RDP on a remote server can ISE control traffic goes out from that remote server depending on user who make RDP on that server ?! or it will control only traffic initiated from first user.
for any point not clear please let me know.
Thanks.
Solved! Go to Solution.
08-27-2017 04:47 AM
I am not sure what happens if the server is running 802.1x and you RDP to it. I have never tested to see if the User that logs in can trigger a User Auth 802.1x session with the switch. I rarely run 802.1x on the servers and never to ISE on the datacenter switches.
In theory if you are running ISE on the switch where the server is connected, the server is configured to do 802.1x and the RDP session triggers a User based 802.1x authentication then you would be able to trigger a DACL for that user.
This should be easy for you to test.
08-27-2017 12:46 AM
Hello,
Appreciate your ideas
Thanks.
08-27-2017 04:47 AM
I am not sure what happens if the server is running 802.1x and you RDP to it. I have never tested to see if the User that logs in can trigger a User Auth 802.1x session with the switch. I rarely run 802.1x on the servers and never to ISE on the datacenter switches.
In theory if you are running ISE on the switch where the server is connected, the server is configured to do 802.1x and the RDP session triggers a User based 802.1x authentication then you would be able to trigger a DACL for that user.
This should be easy for you to test.
08-27-2017 04:59 AM
Exactly, to have ise dynamic controls such as applying acls or tags you will need to have the switchport of the host that needs control be managed by ise
08-28-2017 02:53 AM
Thank you Paul,
I agree with you that servers and Data Center should be out from ISE, I have tested that, when a user try to make RDP connection on remote server, he will be authenticated and will work normally as per authorization profile which pushed on that port according to user who made RDP on that server and login.
but when try to login with another user and his password was expired and user see anyconnect message to tell him enter old and new password but he did not enter anything, after a few minutes session will be dropped, ISE will shows in his log that user try to login with expired password. by this connection to remote server is dropped.
you must unplug and plug cable again to let remote server be authenticated and authorized through machine authorization rule. so this is not stable, so I think it is not recommended to do that, first it will work but there will be issues when we try different situations.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: