Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
0
Helpful
6
Replies

ISE 1.4 profiling just for AD users.

alberx
Level 1
Level 1

‎10-19-2015 07:46 AM - edited ‎03-10-2019 11:09 PM

Hello, I´m implementing ISE 1.4 in a wireless enviroment with WLC.

I´m deploying CWA and if the user is guest sponsored user/password I give internet access, but if the user is from Active Directory I do a Client provisioning with EAP-TLS and certificates for 802.1x in a different SSID. Everything works correctly and the client after the provisioning can connect perfectly to the new 802.1x SSID.

The problem is that I would like doing some profiling just for devices connected with AD user/password, my client has a wide range of devices (apple, windows, Android....) and I can not apply any differentiated profiling policy with the conditions ISE can give me. I would like to profile devices when in the CWA the user is from AD. But trying to create the profiling policies I have no access to the dictionary of my AD, only Radius, DHCP,DNS...etc dictionaries.

I also tried to create a custom dictionary without any success for my purposses.

How can I create a profiling policy with the confition that only applies to devices connected with AD credentials?

Thanks.

Labels:
0 Helpful
6 Replies 6

jan.nielsen
Level 7
Level 7

‎10-19-2015 12:51 PM

Profiling can't be differentiated like that, it works for all devices with a session in ISE. What you can do, and what is normally done, is to let profiling do it's job for every device, and then use multiple conditions in the authorization rules, that relate to both profiling profiles, and AD group memberships for example. This way you can have rules that only require a specific profiling profile, if user is also member of a specific group, or just authenticated via AD.

0 Helpful

alberx
Level 1
Level 1
In response to jan.nielsen

‎10-20-2015 12:16 AM

Hi Jan, thanks for your repsonse.

I understand what you say. What I wanted to do is to configure a profiling policy to create a new identity group with the devices connected with AD user/password. Then use this created group in the authorization rules. Then I wouldn´t do any job with the rest of the guest devices purging the unknown group every week.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to alberx

‎10-20-2015 03:31 AM

Why would you wan't to use profiling for that? ISE already knows they where authenticated via AD and you can just use the "Identity Store" attribute to select those in your authorization rules, no need for profiling to do that.

0 Helpful

alberx
Level 1
Level 1
In response to jan.nielsen

‎10-21-2015 05:26 AM

I don´t have any endopoint in the identity store until they access by CWA. In that moment I wanted to put the endpoint used with AD credentials in a specific endpoint group.

I´m using the attribute "BYODRegistration - equals - yes" to do it.

Thanks for your support.

0 Helpful

jrabinow
Level 7
Level 7
In response to alberx

‎10-21-2015 09:44 AM

FYI. There is a dictionary called CWA that contains the following attributes:

- CWA_ExternalGroups

- CWA_Username

Can be used in authorization (not for profiling).Don't think addresses what you are trying to do but worth calling out

0 Helpful

alberx
Level 1
Level 1
In response to jrabinow

‎10-23-2015 07:55 AM

Thanks. I will check.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents