06-25-2018 03:43 PM
Hello ISE Team,
Is the ip-address-to-user mapping table (currently using AD) informed/modified by the information gleaned from an 802.1x RADIUS-based authentication? Are one of those two sources of ip address preferred? Does one source of ip address overwrite the other?
I'm trying address a scenario/vulnerability where the ip address-to-user mapping does not accurately reflect existing and current login.
best regards,
David Daverso
cc:fracaen
Solved! Go to Solution.
06-26-2018 04:17 AM
If referring to Passive Identity feature, then the mapping is acquired from the passive ID source, whether AD, syslog, or other. The merger of Passive Identity with RADIUS is a function of Easy Connect feature where we correlate the IP from Passive Identity with that from "Active" Identity (RADIUS auth). If there is no match in IP, then there can be no merger, so mismatched IP addresses cannot result. However, once a merger takes place and a MAC address is associated with session, then the IP address can change in RADIUS and still be associated with the same Passive ID entry.
Example, user logs into AD over wired network and MAB authentication results in a merger of the two events. The user then disconnects and reconnects to another location, or leaves and comes back to same location. Here the user may be allocated a different IP address but MAC is still the same. Here the session may be updated with new IP even though original Passive login to AD shows original IP.
/Craig
06-26-2018 04:17 AM
If referring to Passive Identity feature, then the mapping is acquired from the passive ID source, whether AD, syslog, or other. The merger of Passive Identity with RADIUS is a function of Easy Connect feature where we correlate the IP from Passive Identity with that from "Active" Identity (RADIUS auth). If there is no match in IP, then there can be no merger, so mismatched IP addresses cannot result. However, once a merger takes place and a MAC address is associated with session, then the IP address can change in RADIUS and still be associated with the same Passive ID entry.
Example, user logs into AD over wired network and MAB authentication results in a merger of the two events. The user then disconnects and reconnects to another location, or leaves and comes back to same location. Here the user may be allocated a different IP address but MAC is still the same. Here the session may be updated with new IP even though original Passive login to AD shows original IP.
/Craig
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide