08-29-2019 02:10 AM
I have configured dot1x have full access and machine authentication have limited server access for domain user. I have disabled MAB to prevent other machine to connect and access to network. But I have problem here, how I can allow access for those new machine haven't join domain or the machine lost domain trust? I'm created a whitelist group and provide full network access, I will add the mac address in the whitelist group when needed for current moment. But this is not practical, any other suggestion?
Solved! Go to Solution.
08-29-2019 06:18 AM
This is a common situation for any 802.1x deployment. There will be times when a new device needs access or when an existing device is having problems and the Service Desk needs to access the machine remotely to resolve the problem. Or to do a complete rebuild of the software.
What I do with my customers is create an Endpoint Identity Group called something like "Workstation Repair" and an associated authorization rule towards the top of the policy that allows access. Then use RBAC within ISE to give the Service Desk personnel the ability to login and add MAC addresses to that whitelist group. That allows the client machine to access the network and then the Service Desk can do what they need to do to fix it. Once resolved, they can move the MAC address out of that group.
As a backup to ensure that no MAC addresses stay in that group for too long, I create a purge policy that clears any MAC address from that group after 48-72 hours. This process keeps the Service Desk from having to engage Tier 2/3 every time.
The only other thing that you could do is allow "Guest" access with CWA on the switches. If no higher-level rule is hit, then allow limited access and redirect to the Guest Portal. If an Administrator logs in, then give full access. But in my opinion, this adds too much complexity to an already complex solution. And it requires someone to be physically at the machine to put credentials in. Hard to do in large Enterprise environments where there may not be administrators available at some remote locations.
08-29-2019 06:18 AM
This is a common situation for any 802.1x deployment. There will be times when a new device needs access or when an existing device is having problems and the Service Desk needs to access the machine remotely to resolve the problem. Or to do a complete rebuild of the software.
What I do with my customers is create an Endpoint Identity Group called something like "Workstation Repair" and an associated authorization rule towards the top of the policy that allows access. Then use RBAC within ISE to give the Service Desk personnel the ability to login and add MAC addresses to that whitelist group. That allows the client machine to access the network and then the Service Desk can do what they need to do to fix it. Once resolved, they can move the MAC address out of that group.
As a backup to ensure that no MAC addresses stay in that group for too long, I create a purge policy that clears any MAC address from that group after 48-72 hours. This process keeps the Service Desk from having to engage Tier 2/3 every time.
The only other thing that you could do is allow "Guest" access with CWA on the switches. If no higher-level rule is hit, then allow limited access and redirect to the Guest Portal. If an Administrator logs in, then give full access. But in my opinion, this adds too much complexity to an already complex solution. And it requires someone to be physically at the machine to put credentials in. Hard to do in large Enterprise environments where there may not be administrators available at some remote locations.
09-03-2019 01:24 AM
08-30-2019 02:11 AM
08-30-2019 06:53 AM
The problem is that if a particular user never logged on to a specific machine, there are no cached credentials and the machine would have to connect to a domain controller to authenticate the user. If the user cannot logon the machine, then the user credentials would never be presented by the supplicant. So trying to do user authentication for 802.1x would not work in this scenario. You have to authenticate the machine first to provide some access to the domain controllers. But as the original post stated, there are situations when the machines somehow get removed from the domain. In that case, your only option would be to authenticate the machine using a certificate that is already on the machine or use MAB and a whitelist group. As I stated previously, I recommend having MAB enabled with 802.1x using FlexAuth and then use a "Workstation Repair" whitelist in ISE to handle these types of situations. 802.1x is not going to work perfectly in all cases, so give yourself and the Service Desk a way to allow access temporarily for resolving supplicant issues.
08-30-2019 07:34 AM
09-04-2019 05:42 AM
@Mike.Cifelli your register your MAC for access is what we do at cisco on the wired. you can't do anything without the machine being approved to a certain set of rules. We use ISE API and also SGTs to put correct ACLs on the session.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide