Solved: Handling non-DOT1x devices

mark373737 · ‎04-18-2016

Hi All,

I wonder if anyone can give some advice on the handling of legacy non-dot1x devices. My customer does not want non-corporate wired devices connecting to the network. For dot1x devices this is easily achieved. However for non-dot1x MAB devices I can only see this being done by a static "whitelist". If we use profiling it allows any device that "looks like" one of their coporate devices to join and they explicitly don't want that.

For that reason I am using whitelists. That raises a new issue of how many whitelists? If I have only one, and want to use profiling in addition to static whitelist membership I need to ensure my parent profile contains all the device type "child" profiles under it don't I? For example I can't have a policy that allows access on a policy that says "if printer profile "HP" OR printer profile "Canon" AND printer whitelist" as that mixes AND/OR's together? So all my printer profiles would need to belong to the same parent profile so the policy becomes "if all-printers profile AND printer whitelist". Does that make sense?

Secondly iff you have whitelists that contain MAC address of all your MAB devices, how can you ensure that no purging function removes them? I see purging policies appear in ISE 2.0 so presume I can use them? To be clear I NEVER want my whitelist MAC addresses to be purged at any time, regardless of how long since they last appeared on the network.

And lastly what is the best way of putting new MAC addresses into a whitelist. Can you be proactive and insert them in advance, or do they need to be physically connected to the network and known to ISE before you can allocate them. I see there is a bulk import template for initial set-up of the list but after that I only envisage occasional single changes.

Many thanks

Mark

Timothy Abbott · ‎04-18-2016

Mark,

The best solution is to create a custom identity group for all devices owned by the customer that do not participate in 802.1X. These devices do not need to be connected to the network to be added to the group but can be imported into the group. The customer just needs to have a list of all these devices.

There are two assignment types for endpoints in ISE: Profile Policy and Identity Group. ISE will attempt to profile (if plus license has been purchased) every endpoint it sees on the network and automatically assign it a profile policy. It will then set the Profile Policy as the Identity Group but this can be overwritten in the interface by checking the "Static Group Assignment" box and selecting an alternative Identity Group. Here, your customer can let ISE assign a profile policy but then select a different Identity Group (e.i. CompanyOwned) and then use that in authorization policy. It would be in the "CompanyOwned" identity group that all the company owned, non-802.1X devices would be imported.

Lastly, ISE does have a purging mechanism but this would not apply unless the customer specifically configured it. The default purge policies affect GuestEndpoints and RegisteredEndpoints so the custom identity group(s) the customer configures would not be effected in this case.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎04-18-2016

Mark,

The best solution is to create a custom identity group for all devices owned by the customer that do not participate in 802.1X. These devices do not need to be connected to the network to be added to the group but can be imported into the group. The customer just needs to have a list of all these devices.

There are two assignment types for endpoints in ISE: Profile Policy and Identity Group. ISE will attempt to profile (if plus license has been purchased) every endpoint it sees on the network and automatically assign it a profile policy. It will then set the Profile Policy as the Identity Group but this can be overwritten in the interface by checking the "Static Group Assignment" box and selecting an alternative Identity Group. Here, your customer can let ISE assign a profile policy but then select a different Identity Group (e.i. CompanyOwned) and then use that in authorization policy. It would be in the "CompanyOwned" identity group that all the company owned, non-802.1X devices would be imported.

Lastly, ISE does have a purging mechanism but this would not apply unless the customer specifically configured it. The default purge policies affect GuestEndpoints and RegisteredEndpoints so the custom identity group(s) the customer configures would not be effected in this case.

Regards,

-Tim

mark373737 · ‎04-18-2016

Thanks Tim,

Much appreciate the speedy response.

I think I'm on the right track then, as I have created 4 customer endpoint groups with a policy for each. Initially the policy will only require membership of these groups but I want to add profiling at some point as an additional criteria to prevent mac spoofing.

The customer will be repsonsible for these groups so currently I'm more worried that adding profiling to each policy would mean no access if they put the MAC address in the wrong group (as it wouldn't match the accompanying profile). Without profiling they would match one of the policies and get access even if they put it in the wrong group. This is why I wanted just one endpoint group for all their MAB devices regardless of type but I'm pretty sure you can't mix AND and OR conditions in the same policy can you?

...and that is my final question. As the customer will be repsonsible for these endpoint groups (we manage it), I wanted to create a way of giving them access without giving them access to too much. I tried creating a custom portal which works great but seems to have a limit of 99 addresses (think it's really aimed at "My Devices" type usage for personal devices). Currently I've given them a cut-down access to ISE Admin GUI. Any other suggestions?

M