Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1984
Views
5
Helpful
3
Replies

Cisco ISE CWA for guest devices

InfraISE2020
Level 1
Level 1

‎09-09-2020 11:06 AM

Good Evening all,

 

I have an issue that i am hoping you can help me with as I didn't get much joy from Cisco support.

 

Some guest devices connect via docks (mainly surface docks and the odd Dell), these devices hit a CWA redirect policy, sign in with credentials and then get MAC authenticated and the device is added to an endpoint identity group. We are seeing sessions being linked to the MAC address of the dock, if one device connects via a dock, authenticates and is subsequently disconnects and then a different device then connects the new device is automatically authenticated with the previous guest users credentials (and MAC address of the dock) as this has already been added to the endpoint identity group. We believe we can setup a schedule to remove all device mac addresses from the identity group every day, but this doesn’t work for hot desks where multiple devices could connect to the same dock throughout the day.

 

1. Have you come across any issues like this before and do you have any suggested solutions?

2. Is it possible to remove a device identity after a period of inactivity?

a. If possible, how would this work given that the ethernet connection via the dock is never disconnected?

 

Ultimately our end goal is to enable 802.1x on all of our user switches, query intune (MDM) to see if the device is a corporate/compliant device and then put it on the corporate VLAN, should the device fail the intune check then to redirect them to a portal to log in and authenticate. I have the MDM part sorted but I am struggling with docks and USB network adapters. 

 

Any help is appreciated. 

3 Replies 3

Damien Miller
VIP Alumni
VIP Alumni

‎09-10-2020 09:20 AM

This is a common issue with docks for the reasons you described. The MAC address of the dock is shared between machines that connect to it. The easiest way to avoid this is not connect Ethernet to the dock and force those endpoints to connect to guest services through wireless. 

 

Another option could be to identify all the MAC addresses for the docks and force them in to a policy flow that doesn't have registered guest enabled. This can lead to some frustration since users will end up having to reauthenticate if they unplug then return. 

0 Helpful

InfraISE2020
Level 1
Level 1
In response to Damien Miller

‎09-16-2020 07:28 AM

Hi Damien,
Thanks for the reply.
Could you elaborate on the dock MAC addresses/policy flow option, ideally with some screenshots if possible?
Thanks
0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to InfraISE2020

‎09-22-2020 08:45 PM

You are allowing your guest users to use your provided guest devices? So they are your corporate assets?

Why not just use machine certificates for these "Guest" devices since you don't seem to care who the users are?

If you do care who the users are, consider using Sponsored Guest and have your guest users login using assigned usernames & passwords with 802.1X (wired or wireless) rather than deal with tracking MAC addresses in the guest flow?

0 Helpful
Customers Also Viewed These Support Documents