11-20-2012 08:03 AM - edited 03-10-2019 07:48 PM
Hi,
I am trying to get ISE to check if a computer is in a specific Active Directory group and then authorize based on that information.
I have connected ISE to Active Directory and successfully added the group domain.com/Users/Domain Computers and then under Authorization I have added the policy IF Any AND domain.com:ExternalGroups EQUALS domain.com/Users/Domain Computers Then PermitAccess.
It is the first rule in the list.
But this doesn't seem to work. The computer goes to the last Default rule. Did I forget to do something?
Regards,
Philip
Solved! Go to Solution.
11-20-2012 01:01 PM
It looks to me like all the authentication log screenshots you have sent are when your switch is using mac bypass (mab), which of course won't work with AD authentication, unless of course you have the mac address of all your pc's in your AD (which you normally don't).
Basically you need to configure your windows supplicant for either wired dot1x peap or eap-tls and your switch also need to have dot1x in the "authentication order" and "authentication priority" commands on the switchport your pc is connected to.
Here is a few screenshots of how i did my testlab ise setup :
authentication rules :
Authorization example, you could put this at the very top, just to make sure you don't have any broader rules that it can match further down in you rules.
11-20-2012 11:18 AM
Hello Philip-
Can you post screen shots of the live authentication event (both the first page and then the details). Also, can you post screen shots of how your supplicant (Machine client) is configured
11-20-2012 12:17 PM
Hi Neon.
I can't show you exactly that at the moment since I did try some thing else before I went home. I made profiling based on if the computer hostname contains 'xx' and if it is a microsoft workstation. Then I made a new authorization policy under the AD one and saw that the computers hit the new policy.
But to my knowledge the client should still hit the AD policy first.
I have some screens from that (some names are in swedish, let me know if you want a translation of those). To me it looks like it hits the wrong Identity Store.
I don't have a screen of the supplicant at the moment. How should it be configured?
11-20-2012 12:40 PM
I did some changes to the Authentication Policy:
Before the Default part was set to Internal Endpoints.
Now it fails authentication with the following log:
So now it is actually checking AD but it is checking for User, not computer name.
Any ideas?
11-20-2012 01:01 PM
It looks to me like all the authentication log screenshots you have sent are when your switch is using mac bypass (mab), which of course won't work with AD authentication, unless of course you have the mac address of all your pc's in your AD (which you normally don't).
Basically you need to configure your windows supplicant for either wired dot1x peap or eap-tls and your switch also need to have dot1x in the "authentication order" and "authentication priority" commands on the switchport your pc is connected to.
Here is a few screenshots of how i did my testlab ise setup :
authentication rules :
Authorization example, you could put this at the very top, just to make sure you don't have any broader rules that it can match further down in you rules.
11-20-2012 10:55 PM
Thank you. It seems that I had a knowledge gap on how this works. For some reason I believed that ISE would take the hostname of the computer and check if it excists in AD, without aditional config(.1x) on the host.
When I look in the switch log I see that 802.1x fails and it authenticates the computer on MAB.
02-15-2013 09:01 AM
Can anyone tell me if this can also be done to VPN clients?
We are using an ASA 5515X for incoming VPN using Anyconnect 3.1.02026 and NAC Agent v4.9.0.47
Would like to be able to restirct access to the network in general, or even specific network devices based on workstation group memebership or non AD member workstation.
(i.e. all corporate assets can come through VPN and get to all network resources based on their department, however, when contrators come through the VPN their systems are not in AD, therefore they can only get to specific systems on the LAN, or we have certain specific users that work from home using their personal system and we only want them to access specific systems on the LAN)
Thanks in advanced,
02-15-2013 09:11 AM
Hey Dirk
Have you tried in the authz policy, domain group not equal domain computers?
Using a not equal might solve your problem.
Thanks!
02-22-2013 12:58 PM
If you just want to authenticate VPN users through ISE you can use your existing ISE node but If you want to do CoA for VPN users then you have to use Inline Posture node.
Please have supplicant setting as follows for machine auth.... This can be an issue
02-22-2013 06:32 PM
How do you get to that 802.1x setting for the VPN?
02-25-2013 07:03 AM
Not 802.1x settings. You just have to configure ISE as a radius server on VPN for VPN access . And have the poilicies for VPN users in ISE. It will be just normal Radius server and client communication.
02-26-2013 07:26 AM
But I am trying to get 2 factor authentication going here.
First being the username/password, 2nd being the machine login to the domain
How would I set that up?
02-26-2013 07:44 AM
Hello Dirk,
You are talking about MAR (Machine Access Restrictions). I think Cisco has introduced 802.1x for ASA in 9.0 IOS.
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/aaa_trustsec.html
If you just want a simple Radius authentication for VPN users, let me know.
02-26-2013 08:40 AM
I could be wrong but I don't think EAP type VPNs are supported even in 9.x code
02-26-2013 12:16 PM
Hello Neno,
I am also not sure but in following doc say that "eap-proxy" command enables EAP which permits the security appliance to proxy the PPP authentication process to an external RADIUS authentication server.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html
The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the
authentication eap-proxy
or
authentication chap
commands, and the ASA is configured to use the local database, that user will not be able to connect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide