cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

380
Views
0
Helpful
1
Replies
stsagalas
Beginner

ISE 2.7 - Passive-ID (Easy connect) issues when authorized user initiates RDP to another PC

Hi All

We have the following issue with our "still testing" Passive-ID (easy connect) implementation.

 

When PC "xyz-pc" boots MAB kicks in, match a policy and Limited access dACL is assigned to PC "xyz-pc" switch port.

When the PC User authenticates with MS AD with account "xyz", ISE Passive-ID detects the event and assigns a new dACL with full access as the authorization policy dictates.

Everything works as expected.

 

Now User "xyz" from PC "xyz-pc" initiates a MS RDP Session to another PC/Server and he uses different credentials lets say "admin_xyz" which is not included  in any Passive-ID policy Set.
ISE Passive-ID detects the event, and now assigns a limited dACL to the switch port of device xyz-pc.

The use ends with limited access to the network and must logoff/logon in order to have access back to the network.

 

Any advice is very welcome.

 

Thanks in advance

 

1 REPLY 1
stsagalas
Beginner

Hi all.

Found the document bellow and it states that Mapping Filters under "Work Centers>Passive ID>Providers>Mapping Filters" -  "Prevents Passive Sessions from Being Created & Shared & Ex: Admin remotely logging into computer to solve problem".

You can filter base on Username (with * as regular expression) and IP address and the session that match filters are excluded from Passive-ID and thus not an issue with RDP.

 

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2017/pdf/BRKSEC-3697.pdf

 

Kind regards

 

 

Content for Community-Ad