ISE 2.7 - Passive-ID (Easy connect) issues when authorized user initiates RDP to another PC

stsagalas · ‎03-31-2021

Hi All

We have the following issue with our "still testing" Passive-ID (easy connect) implementation.

When PC "xyz-pc" boots MAB kicks in, match a policy and Limited access dACL is assigned to PC "xyz-pc" switch port.

When the PC User authenticates with MS AD with account "xyz", ISE Passive-ID detects the event and assigns a new dACL with full access as the authorization policy dictates.

Everything works as expected.

Now User "xyz" from PC "xyz-pc" initiates a MS RDP Session to another PC/Server and he uses different credentials lets say "admin_xyz" which is not included in any Passive-ID policy Set.
ISE Passive-ID detects the event, and now assigns a limited dACL to the switch port of device xyz-pc.

The use ends with limited access to the network and must logoff/logon in order to have access back to the network.

Any advice is very welcome.

Thanks in advance

stsagalas · ‎04-02-2021

Hi all.

Found the document bellow and it states that Mapping Filters under "Work Centers>Passive ID>Providers>Mapping Filters" - "Prevents Passive Sessions from Being Created & Shared & Ex: Admin remotely logging into computer to solve problem".

You can filter base on Username (with * as regular expression) and IP address and the session that match filters are excluded from Passive-ID and thus not an issue with RDP.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2017/pdf/BRKSEC-3697.pdf

Kind regards