Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
271
Views
0
Helpful
6
Replies

Exempt Endpoint from All ISE Policy

ryanbess
Level 1
Level 1

‎06-03-2024 05:08 AM

Hello all,

We are looking for ways to exempt any kind of endpoint from all ISE Policies and just let it on the network.  Given that the endpoint could 

1. Be properly configured with 802.1x (Thus pass Authentication / Authorization)

2. Be improperly configured with 802.1x (Could pass or not pass Authentication and then could or could not pass Authorization)

3. Not even Support 802.1x (this one is easy...the endpoint will never speak 802.1x)

How would you enabled desktop support to simply add the MAC of the endpoint to a predefined endpoint group to bypass all ISE policies so they desktop support can troubleshoot?  The ask is not how to setup a new endpoint group or how to delegate to the EG, but how would you construct ISE Policies to support just letting the endpoint on the network regardless of how it's configured.  

Thanks

 

0 Helpful
6 Replies 6

ahollifield
VIP
VIP

‎06-03-2024 05:21 AM

Add the MAC address to a temporary Whitelist group?  Purge that group every 24 hours?  Add the authz rule for that EID at the very top of your Wired MAB Policy Set?

0 Helpful

ryanbess
Level 1
Level 1
In response to ahollifield

‎06-03-2024 05:43 AM - edited ‎06-03-2024 05:44 AM

Given that 802.1x takes precedence, what if the endpoint properly authenticates via 802.1x.  I guess I'd need 2 policies.  One that goes in a MAB policy set and one that goes in an 802.1x Policy set.  How are others doing this?  

0 Helpful

ahollifield
VIP
VIP
In response to ryanbess

‎06-03-2024 06:26 AM

Why would you need a bypass for something that completes 802.1X successfully?  802.1X doesn't always take precedence, it depends on how your NAD is configured?

0 Helpful

ryanbess
Level 1
Level 1
In response to ahollifield

‎06-03-2024 08:02 AM

agreed, 802.1x doesn't ALWAYS take precedence but i'll bet in most setups it does.  

why would i need to bypass a successful 802.1x?  In a perfect world we wouldn't.  However, my environment is unique with a MANY different IT departments controlling various client computers.  These computers may move from one building controlled by one set of ise servers to another building controlled by a different set.  Those computers MAY pass authentication as it's a common AD domain / PKI environment.   

0 Helpful

ahollifield
VIP
VIP
In response to ryanbess

‎06-03-2024 08:08 AM

Why are there multiple ISE deployments but a single AD domain and single PKI?

0 Helpful

ryanbess
Level 1
Level 1
In response to ahollifield

‎06-03-2024 08:10 AM

The powers that be wanted it that way......i just need to make it work. 

0 Helpful
Customers Also Viewed These Support Documents