cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

227
Views
0
Helpful
4
Replies
Beginner

can ISE control traffic goes out from remote server after user make RDP on that server

What I know when user log to his machine which connected to switch port, ISE will push authorization profile which contain dACL so it will set permission to traffic goes from that port.

but if user make RDP on a remote server can ISE control traffic goes out from that remote server depending on user who make RDP on that server ?! or it will control only traffic initiated from first user.

for any point not clear please let me know.

Thanks.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Engager

Re: can ISE control traffic goes out from remote server after user make RDP on that server

I am not sure what happens if the server is running 802.1x and you RDP to it.  I have never tested to see if the User that logs in can trigger a User Auth 802.1x session with the switch.  I rarely run 802.1x on the servers and never to ISE on the datacenter switches.

In theory if you are running ISE on the switch where the server is connected, the server is configured to do 802.1x and the RDP session triggers a User based 802.1x authentication then you would be able to trigger a DACL for that user. 

This should be easy for you to test.

View solution in original post

4 REPLIES 4
Highlighted
Beginner

Re: can ISE control traffic goes out from remote server after user make RDP on that server

Hello,

Appreciate your ideas

Thanks.

Highlighted
VIP Engager

Re: can ISE control traffic goes out from remote server after user make RDP on that server

I am not sure what happens if the server is running 802.1x and you RDP to it.  I have never tested to see if the User that logs in can trigger a User Auth 802.1x session with the switch.  I rarely run 802.1x on the servers and never to ISE on the datacenter switches.

In theory if you are running ISE on the switch where the server is connected, the server is configured to do 802.1x and the RDP session triggers a User based 802.1x authentication then you would be able to trigger a DACL for that user. 

This should be easy for you to test.

View solution in original post

Highlighted
Cisco Employee

Re: can ISE control traffic goes out from remote server after user make RDP on that server

Exactly, to have ise dynamic controls such as applying acls or tags you will need to have the switchport of the host that needs control be managed by ise

Highlighted
Beginner

Re: can ISE control traffic goes out from remote server after user make RDP on that server

Thank you Paul,

I agree with you that servers and Data Center should be out from ISE, I have tested that, when a user try to make RDP connection on remote server, he will be authenticated and will work normally as per authorization profile which pushed on that port according to user who made RDP on that server and login.

but when try to login with another user and his password was expired and user see anyconnect message to tell him enter old and new password but he did not enter anything, after a few minutes session will be dropped, ISE will shows in his log that user try to login with expired password. by this connection to remote server is dropped.

you must unplug and plug cable again to let remote server be authenticated and authorized through machine authorization rule. so this is not stable, so I think it is not recommended to do that, first it will work but there will be issues when we try different situations.