Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1101
Views
0
Helpful
8
Replies

Force Authenticate/Authorize Endpoints

Go to solution
Guy Greenshtein
Level 1
Level 1

‎08-08-2023 07:01 AM

Hello everyone,

I was wondering if there's a way to force authenticate/authorize a specific endpoint (or group of endpoints) using ISE GUI in case of a failure or t-shoot needs.

For example, let's say that the CEO's workstation is not passing 802.1x authentication or posture check and thus is sent to an Isolation VLAN. I need to exclude this workstation and give it access regardless of its state. Is there a way to do it directly without connecting to the user switch and running the authentication control force-authorized on the switchport?

I thought about creating a bypass policy validating only MAC address and then statically adding this endpoint to a bypass group. 

In Portnox for example, I can give a specific port something called a 'voucher' or even set the specific port to be always authenticated and everything is done from the GUI.

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎08-08-2023 03:09 PM

Hi @Guy Greenshtein 

The solution you're looking for is called Vanilla ISE. It's a web interface (written in python) that you can easily launch and have users log in to do just that. It can generate vouchers etc. He is very repsonsive also on Github if you send him feature enhancement requests.

If you want to see Vanilla ISE in action, watch the DEVNET-2106 Session from CiscoLive Las Vegas 2023 from the creator, Oren Brigg himself, you will be impressed.

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎08-08-2023 07:05 AM

@Guy Greenshtein go to Live Sessions, select the endpoint/user and click Show COA actions, then click "session reauthentication"

RobIngram_0-1691503464603.png

The NAD (switch/WLC) will need CoA configured and working.

 

0 Helpful

Go to solution
Guy Greenshtein
Level 1
Level 1
In response to Rob Ingram

‎08-08-2023 07:11 AM

@Rob Ingram , as far as I understand, this will re-authenticate the workstation, but I don't think it will FORCEFULLY AUTHENTICATE it. Am I wrong?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Guy Greenshtein

‎08-08-2023 07:50 AM

@Guy Greenshtein it will force the switch the endpoint is connected to to reauthenticate the endpoint, subsequently ISE will evaluate the policies and authenticate/authorise the endpoint/user.

0 Helpful

Go to solution
Guy Greenshtein
Level 1
Level 1
In response to Rob Ingram

‎08-08-2023 09:04 AM

Thanks for clarifying, but unfortunately it is not the solution I'm looking for. What you propose will help me to re-authenticate manually rather than waiting for Cisco ISE to do automatically according to it's timer.

If the endpoint isn't meeting the conditions it will still fail... what I'm looking for in simple words is a magic button that says "authenticate and authorize this endpoint even if it failed all tests".

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Guy Greenshtein

‎08-08-2023 09:14 AM

@Guy Greenshtein ok, as you previously suggested create an Endpoint Identity Group, create an authorisation rule (exception) that gets processed before any other rule that matches on the identity group. Add the MAC address of an endpoint to the group, reauthorise the endpoint, the endpoint will hit this exception rule rather than the other rules that's its failing to match.

0 Helpful

Go to solution
Guy Greenshtein
Level 1
Level 1
In response to Rob Ingram

‎08-08-2023 10:21 AM

Thanks for confirming this optional solution. I was hoping to find a more intuitive built-in solution such as other NAC vendors provide. Several disadvantages I think of are:

1. I will need to be in much more control over these identity group and the endpoints associated to them. As long as the endpoints are members of this groups they will hit the very permissive rules and gain access to the corporate network which might pose a high security risk.

B. I will need to create several policy rules for both authentication and posture to cover different scenarios.

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎08-08-2023 03:09 PM

Hi @Guy Greenshtein 

The solution you're looking for is called Vanilla ISE. It's a web interface (written in python) that you can easily launch and have users log in to do just that. It can generate vouchers etc. He is very repsonsive also on Github if you send him feature enhancement requests.

If you want to see Vanilla ISE in action, watch the DEVNET-2106 Session from CiscoLive Las Vegas 2023 from the creator, Oren Brigg himself, you will be impressed.

 

0 Helpful

Go to solution
Guy Greenshtein
Level 1
Level 1
In response to Arne Bier

‎08-10-2023 04:12 AM

@Arne Bier thanks for introducing me Vanilla ISE! I never heard of it before and after seeing the video presentation I understand that it is quite close to what I was looking for and that I can actually develop something on my own for our different needs.

Eventually the solution is based on what I was thinking of doing - creat an Identity group for bypass and manually add the endpoints inside, but the fact it can be time based is a nice addition (similar to Portnox).

Thank you!

0 Helpful
Customers Also Viewed These Support Documents