Solved: Cisco ISE 2.7 Dell universale dockingstation U22

Pete Nowikow · ‎06-27-2023

Hello,

We have a fleet of Dell docking stations of several model types but most recently use U22. We use various Latitude model laptops on these docks as well as non-Dell laptops with USB-C ports. All docks are shared as users float around (think of it as hotel stations). In the Dell BIOS on newer laptops, you can enable MAC address pass-through which makes ISE see the MAC of the internal laptop NIC and not the MAC of the dock itself.

First until a device is connected to the USB-C port of the dock, the dock doesn't appear online to ISE.
Not all laptops have this pass-through feature enabled or even available to configur
We've had to grandfather several docks using an Identity Group in ISE along with an AuthZ policy so that the MAC of the dock is permitted on the network.
I want to understand how else I can accomplish permitting access to users of these docks without giving full access to just any MAB laptop that plugs into a grandfathered dock.
The Dell GPO managed laptops using 802.1x & PEAP aren't a problem as they auth with domain creds, only the MAB machines are.

Is this a Dell issue and I need to ask them or can anyone think of a solution within ISE where I can use a creative policy to give some limited access until a user authenticates via some sort of redirected auth portal page or something.

Thanks,

Pete

ahollifield · ‎06-28-2023

Yup AirWatch is supported: https://community.cisco.com/t5/security-knowledge-base/ise-security-ecosystem-integration-guides/ta-p/4782363#toc-hId--1961519897
https://techiecheng.files.wordpress.com/2021/01/airwatch-cisco-ise-integration.pdf
https://thomascheng.net/2020/05/27/integrating-vmware-workspace-one-uem-by-airwatch-with-cisco-identity-services-engine-ise/

Yes, any MDM solution will be leagues better than ISE BYOD since the MDM has much deeper control of the device itself.

View solution in original post

Aref Alsouqi · ‎06-29-2023

If those USB dongles get profiled with something on ISE, then I think you can create an authorization rule to look at that profiler attribute as well as the MAB as the authentication method. This way that rule will potentially match only the traffic coming from the unmanaged devices, on this rule you can apply a dACL to restrict the accesses to the network. For the managed devices you will have their dedicated rule that has no access restrictions. I hope this makes sense.

View solution in original post

ahollifield · ‎06-28-2023

This is an endpoint issue at the end of the day. That being said, what's the use-case for MAB at all on these machines? Why not do PEAP (or better yet EAP-TLS or TEAP) across the board?

Pete Nowikow · ‎06-28-2023

I agree it's an endpoint issue for sure. Management wanted to grandfather the currently connected devices like docks. The problem is since they added all the MAC addresses for all the docks into an ID group and allow access, any laptop that uses that dock gets network access. Since not all laptops are managed, this presents and issue. The domain joined AD laptops do prefer PEAP and users get Dot1x. It's the unmanaged machines which are the issue. Are you suggesting all users regardless of use case should have AD creds and use PEAP in all cases instead of MAB?

ahollifield · ‎06-28-2023

Yes - I am suggesting that all machines should be managed. What is the use-case for allowing unmanaged machines onto the network?

Pete Nowikow · ‎06-28-2023

While I agree with you that all machines should be managed but at a school who allows unmanaged machines (BYOD), this isn't possible. We've also toyed with the idea of making users register before granting network access from unmanaged PCs but ISE's portal redirection doesn't provide consistent user experience. Each OS and or browser behaves differently which causes user frustration.

ahollifield · ‎06-28-2023

Yup you describe EXACTLY why BOYD sucks. Is registering these personal devices to an MDM possible? You could then integrate that MDM with ISE. I would argue what is the point of 802.1X/MAB at all if you are just allowing any MAB device?

Sure, you could do a wired captive portal redirect and authenticate using a splash page. You still have the issue though of allowing unmanaged endpoints (with who knows what on them) onto the protected network without any oversight so I would still advocate for some sort of MDM registration. Posture is also an option here but you will face similar hurdles with doing Posture on unmanaged endpoints.

Aref Alsouqi · ‎06-28-2023

How about restricting the MAB accesses to limited services if required such as DHCP, DNS, and NTP, and then denying anything to the RFC1918 range and finally allowing only internet accesses? in that case the unmanaged devices would have limited accesses, and when a managed device connects to that port the dot1x will override the MAB restrictions.

Pete Nowikow · ‎06-28-2023

@ahollifieldI like the option to use an MDM. We use Airwatch for Mobile. Can that be used with ISE and is it's user experience better than ISE's BYOD experience?

@Aref AlsouqiThat's a good idea too. Since we use Dell docking stations we would need to get the OUI or build a Profile for them so we can differentiate them from other things like USB dongles, etc. One issue we have with these docks is that they don't appear until the USB-C cable is connected to a laptop. Modern Dell laptops pass the laptop's MAC through the dock and appear as a laptop to the network but most other laptop's use the dock's MAC address. It's an interesting puzzle for sure.

Aref Alsouqi · ‎06-28-2023

I think you could still create an authorization rule with conditions to look at the profile of those dongles and the authentication protocol which will be MAB in this case and then apply the restriction.

Pete Nowikow · ‎06-29-2023

@Aref Alsouqicould you please elaborate on this a little? Do you have an example?

Aref Alsouqi · ‎06-29-2023

If those USB dongles get profiled with something on ISE, then I think you can create an authorization rule to look at that profiler attribute as well as the MAB as the authentication method. This way that rule will potentially match only the traffic coming from the unmanaged devices, on this rule you can apply a dACL to restrict the accesses to the network. For the managed devices you will have their dedicated rule that has no access restrictions. I hope this makes sense.

ahollifield · ‎06-28-2023

Yup AirWatch is supported: https://community.cisco.com/t5/security-knowledge-base/ise-security-ecosystem-integration-guides/ta-p/4782363#toc-hId--1961519897
https://techiecheng.files.wordpress.com/2021/01/airwatch-cisco-ise-integration.pdf
https://thomascheng.net/2020/05/27/integrating-vmware-workspace-one-uem-by-airwatch-with-cisco-identity-services-engine-ise/

Yes, any MDM solution will be leagues better than ISE BYOD since the MDM has much deeper control of the device itself.

Pete Nowikow · ‎06-29-2023

@ahollifieldI'm checking these out. Much thanks

giovanni.augusto · ‎06-28-2023

As it was stated in a previous answer you should target the end devices and set a minimum compliance standard to grant access.

If you cannot provision these workstation because are not centrally managed you should at least distribute an onboarding script that install the required connections settings and IMHO a certificate for the machine (even via SCEP), these are all things that ISE onboarding portal does but it's true that it may be inconsistent.

Anyway after you have a certificate and a connection profile you should make them connect via TEAP (Windows) or EAP-TLS (MacOS) at minimum (with TEAP always my preference but Apple somehow doesn't like it...)

My suggestion is to consider also posture for these workstations with the necessary remediation (updates, AV, etc).

Pete Nowikow · ‎06-29-2023

@giovanni.augustoThese are all good suggestions. Let me discuss it with the other internal team members and see what they think. Much appreciated