Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1082
Views
1
Helpful
7
Replies

Identifying first time corporate login to network

Go to solution
eddiem
Cisco Employee
Cisco Employee

‎09-07-2017 04:45 PM

Here is an interesting ISE network access requirement I wanted to run by the experts. The requirement is to force a new corporate user through a captive portal to read and accept the corporate internet use policy. The customer is a heavy Microsoft/AD shop and has the capability to write ADSI scripts to modify AD on the fly or perhaps even using ISE EPS APIs.  So given that, is this the best option?

  1. ISE wired and wireless policy has an authZ rule that states if user belongs to ‘Unsigned_AUP’ AD group, they get restricted access and redirected to the AUP captive portal.
  2. After new corporate user reads and signs the AUP, this captive portal has ADSI scripting to drop the respective user from the ‘Unsigned_AUP’ AD group.
  3. The same captive portal script uses ISE EPS API to bounce (CoA) the user off of the network. When the user logs back in, the will no longer be in the 'Unsigned_AUP' group and will fall into whatever desired authZ rule.

The piece I’m not sure on is how the user gets bounced in step 3.  In the typical guest or BYOD flow, the portal is running on an ISE node, so ISE knows how to reach the PSN to CoA the user.  But in this flow the customer owns this ‘New user captive portal’.  What ISE node would this EPS API talk to to CoA the user, MnT?

Thanks in advance

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎09-07-2017 05:27 PM

Eddie,

The can call the REST API against ISE MNT node to retrieve session info and trigger CoA.  Another option is to simply have them accept AUP in ISE or link to external AUP from a CWA/Hotspot page which also flags AUP accept in ISE.  This too will trigger CoA upon completion to allow different policy to be hit if authorization result different.

Craig

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Craig Hyps
Level 10
Level 10

‎09-07-2017 05:27 PM

Eddie,

The can call the REST API against ISE MNT node to retrieve session info and trigger CoA.  Another option is to simply have them accept AUP in ISE or link to external AUP from a CWA/Hotspot page which also flags AUP accept in ISE.  This too will trigger CoA upon completion to allow different policy to be hit if authorization result different.

Craig

0 Helpful

Go to solution
eddiem
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎09-07-2017 09:34 PM

Thanks Craig, That helps.  Can I assume if we used ISE for the AUP, we'd still need some external source to tell us if the user was a first time login using the AD group I mentioned above? Otherwise I'm not sure how ISE would know it was the first time that user logged into the network. We can't use the endpoint MAC because the PC may be recycled from previous user.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to eddiem

‎09-07-2017 10:05 PM

AUP is flagged to the endpoint, not user, but you may be able to combine your external AUP (link to it from CWA login page) and rely on local CoA from ISE to pick up the change in AD.  For example:

Rule 1 - If EAP success and AD:AUP flag = true, then Permit

Rule 2 - If EAP success and AD:AUP flag = false, then CWA_AUP (or Hotspot AUP)

/Craig

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-07-2017 10:19 PM

If the customers mainly need users to ack access to an AD computer, it might not need to use ISE to enforce it at all. I am thinking to use login script to check some windows registry or the like and pop up a modal windows if not yet set to the ack'ed value, etc.

Go to solution
eddiem
Cisco Employee
Cisco Employee
In response to hslai

‎09-08-2017 08:52 AM

Thanks Hsing.  Although customer is a heavy Microsoft shop, we're not sure if all endpoints will be Windows so wanted to suggest a solution that leveraged network access and worked for non-Windows endpoints.

0 Helpful

Go to solution
gbekmezi-DD
Level 5
Level 5
In response to eddiem

‎09-08-2017 09:11 AM

How about something like this (though this is endpoint constrained vs user constrained:

1. User with endpoint not previously seen logs in.

2. Check if endpoint is in identity group EUP-Signed (for example)

3. If in identity group, then allow access

4. if not in identity group, then redirect using a hotspot portal with EUP. Have that hotspot portal place the endpoint in the EUP-Signed identity group once the user accepts the EUP

If you want the policy bound to a user, maybe you can do something with AD groups or a user attribute in AD using an external EUP portal. Once the user accepts the EUP, the portal adds the attribute to the user in AD and then generates a COA for the session.

George

0 Helpful

Go to solution
eddiem
Cisco Employee
Cisco Employee
In response to gbekmezi-DD

‎09-08-2017 09:20 AM

Thanks George,  The customer has plenty of wired/shared desktops.  Therefore the solution needs to be focused on the user, not the endpoint.  Since customer has skilled IT staff willing to write scripting to dynamically update AD, we thought using an AD group to track first time logins would be effective. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents