IBNS with ISE, authorization issue

Xavier Lloyd · ‎06-09-2011

I'm running the 90-day ISE demo and trying to configure IBNS with it. I love the feel of the interface and almost instantly had a set of policies up and working fine. My issue is this:

I have an authorization service for machines so before a user logs in, their machine will authenticate to a list of machines in AD. This will give them guest/limited access.

I have a second authorization service for users. Once the user authenticates to AD, they should get access based on user group or other AD attributes. However once the user authenticates to AD, the previous authorization service that they had before is still enforced. The user is stuck with machine authorization. I figured that it was because the setting was "First Matched Rule Applies" so I switched to Multiple and now after the login, it still matches machine authorization but it now also matches on Default which will deny access...how can something match both authorized and default?

Because of that I have to make the machine authorization setting open to everything. Can anyone provide any guidance on this issue as config examples and such aren't out yet for ISE and the admin guide wasn't very helpful with this particular issue.

Thanks

Xavier

Tarik Admani · ‎06-12-2011

Xavier,

Can you take a screenshot of your machine authorization attributes along with the default access attribute just as you want it. Also can you please post a screenshot of the report that shows the successfull attempt for the user authentication that shows it being mapped to the machine rule?

Thanks,

Tarik admani

Xavier Lloyd · ‎06-13-2011

Tarik

I've attached the screenshots as requested.

Thanks for the reply!

Xavier

Tarik Admani · ‎06-13-2011

Xavier,

Based on the screenshots it looks as if everything is working just fine, I see the host/ being mapped to the IBNS machine Authorization service, and the domain/user being pointed to the IBNS user authorization service.

Let me know what it is that you are having troubles with? It seems as if all the authentications above are user authentications and they hit the right policy, the two machine authentication attempts in the logs also seem to pair up with the right policy.

Thanks,

Xavier Lloyd · ‎06-13-2011

The problem is that when the user is authorised after the machine is authorised, he still gets Machine Access (number 6). The user is supposed to get Engineer Access based on the IBNS User Authorisation Rule in number 1.

Comparing 5 and 6, the username for 5 is host/machineName/domain which should be granted Machine Access based on how AD is set up (with a list of hostnames of Domain Computers). In number 6 the username is domain/username which indicates it's a domain user and so he should get engineer access. For some reason, ISE doesn't want to match with the new authorisation rule and just keeps the one that I had before.

Tarik Admani · ‎06-13-2011

Thanks for the clarification and I apologize for my oversight. Can you please paste or upload an edited version of the authentication report....you should be able to download it as a pdf (i think if you try print the report it will give you and option to save it. if you want you can message it to me directly instead. You can update the message board if we are able to resolve the issue.

thanks,

Tarik Admani

Xavier Lloyd · ‎06-14-2011

Hey bro, don't worry about it. I'm going to PM you. Here are the reports.

Thanks much

Xavier

Tarik Admani · ‎06-15-2011

Xavier,

I wanted to know how everything is coming along, were you able to find anything after we took this offline?

Thanks,

Tarik

Xavier Lloyd · ‎06-15-2011

Nope, nothing yet. I've become a bit distracted with a few other more pressing projects.

I just had an idea though. I had the switch set up to do IBNS with ACS 5.1 and this kind of authorization was working just fine. I'm going to see if I can pull some logs from that and compare them with these to see if there's any valuable information.

Thanks

Xavier