Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
585
Views
0
Helpful
1
Replies

ip address to user mapping

Go to solution
David_D
Cisco Employee
Cisco Employee

‎06-25-2018 03:43 PM

Hello ISE Team,

Is the ip-address-to-user mapping table (currently using AD) informed/modified by the information gleaned from an 802.1x RADIUS-based authentication?  Are one of those two sources of ip address preferred?  Does one source of ip address overwrite the other?

I'm trying address a scenario/vulnerability where the ip address-to-user mapping does not accurately reflect existing and current login.

best regards,

David Daverso

cc:fracaen

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎06-26-2018 04:17 AM

If referring to Passive Identity feature, then the mapping is acquired from the passive ID source, whether AD, syslog, or other.  The merger of Passive Identity with RADIUS is a function of Easy Connect feature where we correlate the IP from Passive Identity with that from "Active" Identity (RADIUS auth).  If there is no match in IP, then there can be no merger, so mismatched IP addresses cannot result.  However, once a merger takes place and a MAC address is associated with session, then the IP address can change in RADIUS and still be associated with the same Passive ID entry.

Example, user logs into AD over wired network and MAB authentication results in a merger of the two events.  The user then disconnects and reconnects to another location, or leaves and comes back to same location.  Here the user may be allocated a different IP address but MAC is still the same.  Here the session may be updated with new IP even though original Passive login to AD shows original IP.

/Craig

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Craig Hyps
Level 10
Level 10

‎06-26-2018 04:17 AM

If referring to Passive Identity feature, then the mapping is acquired from the passive ID source, whether AD, syslog, or other.  The merger of Passive Identity with RADIUS is a function of Easy Connect feature where we correlate the IP from Passive Identity with that from "Active" Identity (RADIUS auth).  If there is no match in IP, then there can be no merger, so mismatched IP addresses cannot result.  However, once a merger takes place and a MAC address is associated with session, then the IP address can change in RADIUS and still be associated with the same Passive ID entry.

Example, user logs into AD over wired network and MAB authentication results in a merger of the two events.  The user then disconnects and reconnects to another location, or leaves and comes back to same location.  Here the user may be allocated a different IP address but MAC is still the same.  Here the session may be updated with new IP even though original Passive login to AD shows original IP.

/Craig

0 Helpful
Customers Also Viewed These Support Documents