Solved: Posture lease and profile data for devices behind USB/DisplayLink docking stations

giosif · ‎04-20-2018

Hi,

I have a customer using some docking stations to which devices (Windows and Mac-based) connect via USB in order to get access to the wired network, external monitors and keyboard & mouse.

The issue with this approach is ISE can only see the MAC address from the wired adapter of the docking station, irrespective of what device is actually connected to the docking station.

And the consequence of the above is that the posture lease and profiling data are not representative of the actual device connecting to the network.

The customer is saying that, during Cisco Live in Berlin last year, they got the impression Cisco were looking to find a different kind of device identifier that would address the above situation.

Can someone please confirm whether this is indeed the case and if we plan to have the feature available anytime soon?

Or could it have been the Unique Identifier (UDID) attribute (which, AFAIK, is only being used as information in endpoint context visibility and not for device unique identification for posturing purposes)?

Thanks,

George

Craig Hyps · ‎04-23-2018

AnyConnect UDID does provide a per-host ID and is used for Compliance checking for Posture and MDM. For the case of basic AAA, then authentication will ensure the unique identity of user or machine (depending on auth method). Profiling may not be reliable as single MAC keep changing attributes. As such, the known docking stations could be assigned a fixed profile like "Docking-Station".

View solution in original post

Craig Hyps · ‎04-23-2018

AnyConnect UDID does provide a per-host ID and is used for Compliance checking for Posture and MDM. For the case of basic AAA, then authentication will ensure the unique identity of user or machine (depending on auth method). Profiling may not be reliable as single MAC keep changing attributes. As such, the known docking stations could be assigned a fixed profile like "Docking-Station".

giosif · ‎04-23-2018

Thanks, Craig!

My customer is using a 24 hours posture lease.

So, if I understand your response correctly, given a desktop device running AnyConnect, once it is postured in the morning, while connected to docking station A, it should not get re-postured, irrespective of which docking station it is connecting from throughout that day, be that station A or any other.

Can you please confirm?

Also, is there a minimum version of AnyConnect and ISE we would need to run for this to work as described?

I believe ISE needs to be at least on version 2.2 (which is the case with my customer).

Not sure about AnyConnect version requirements, though (my customer is running version 4.2, planning to upgrade to 4.6).

Thank you again!

Craig Hyps · ‎04-23-2018

Correct. There will be a check but when AC submits UDID to PSN, PSN can validate if active lease and return Posture Compliant status at initial connection.

AC 4.3 added AC UDID, but recommend 4.5 current MR or higher.

giosif · ‎04-24-2018

Great!

Thank you for all the information!

giosif · ‎09-05-2018

Apologies for reviving this old thread, but the topic came up again in my conversations with the customer and I am looking to confirm one detail: does ISE actually "enforce" the UDID check in its evaluation whether to require posture or not, for a given session?

Or is it that ISE just honors the UDID information, if present?

As I mentioned previously, the customer is using some USB docking stations with built-in wired NIC's on hot desks and, over a period of time, multiple devices connect to the same docking station (in sequence, one at a time, not simultaneously).

On the network side, however, each such session appears as coming from the same MAC address (i.e. the USB docking station NIC's MAC address).

And, what we currently see with ISE 2.2, is that, once the first connected endpoint gets postured, none of the endpoints subsequently connecting to that given USB docking station get postured until the posture lease for that first posture expires.

If ISE is indeed using UDID instead of the MAC address, shouldn't ISE require posturing as soon as the second endpoint connects to the USB docking station (and, then, for any of the subsequent endpoints)?

Thanks!