Solved: ISE 2.3 and Active Directory Probe

patoberli · ‎03-20-2018

Hi All

I'm new to ISE and using it currently in a lab. My goal is to make profiles based on AD membership of clients for 802.1x authentication on a switch.

I've successfully added the AD and the ISE is joined. I'm using ISE 2.3 with patch2 installed.

My sample client provides these attributes:

But the dictionary / policy elements don't match a single of those attributes, so I am unable to profile it:

I did find this bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg57342

Am I indeed hitting that bug and does that mean it's not possible in ISE 2.3 to use the Active Directory Profiling for authentications?

patoberli · ‎03-21-2018

Got it working now! :)
It was a permissions issue on the Active Directory side, which didn't allow the ISE to pull the needed attributes.

We run an AD 2012R2 (or even 2016) which limits the access to certain computer attributes, like all the ones ISE would like to have. Our Domain Admin needed to add (I think by default existing) the ISE to the group named "Pre-Windows 2000 Compatible Access".

Once that was done and the client got queried again on the AD (default is every 24 hours, or delete it from the Endpoint list and reconnect it on the network), the fields were finally there and filled out :)

View solution in original post

Rob Ingram · ‎03-20-2018

Hi,

In order to use AD group membership for Authentication/Authorisation:

- Create an External Identity Source for AD domain (Administration > External Identity Source)

- Import groups from AD (Administration > External Identity Source > YOURADDOMAIN > Groups)

- In your Policy Set create your rules and select YOURADDOMAIN:ExternalGroups EQUALS YourGroupName

You can use the AD probe information in the rules aswell to determine that the actual computer is joined to the AD domain etc.

patoberli · ‎03-20-2018

That was the last missing point for the working authentication :) I was very close already, thanks!

Can this be considered as "save" if I match those clients in a specific ad group?

Sadly the profiling still doesn't work, but I guess I have to wait for a patch here.

Rob Ingram · ‎03-20-2018

Well you probably want to combine matching those groups with other attributes, AD probe information if possible is a start.

What supplicant are you using to authenticate? AnyConnect or Windows native?

If AC you could use EAP Chaining, authenticate the computer and user and then create a rule that only allows access if both computer and user authentication succeeded.

patoberli · ‎03-20-2018

Trying to keep it as simple as possible, so I'm using the Windows 10 native one.

I did think about client certificates, but haven't yet read enough into how doing this.

patoberli · ‎03-21-2018

Got it working now! :)
It was a permissions issue on the Active Directory side, which didn't allow the ISE to pull the needed attributes.

We run an AD 2012R2 (or even 2016) which limits the access to certain computer attributes, like all the ones ISE would like to have. Our Domain Admin needed to add (I think by default existing) the ISE to the group named "Pre-Windows 2000 Compatible Access".

Once that was done and the client got queried again on the AD (default is every 24 hours, or delete it from the Endpoint list and reconnect it on the network), the fields were finally there and filled out :)