Solved: ISE Authentication question

mheilema · ‎02-08-2016

I have a customer who is implementing ISE at a few of their smaller development sites. The idea there is that developers workstations or Vms can only access the Dev environments and not production environments. The rest of the users authenticate and get put into production environments or whatever is appropriate. We have been successful in that deployment. However, now the customer would like to implement that same type of solution at their largest sites, however, they are not yet prepared to have their normal production users authenticate via ISE to the network. In this case, they only want to have developers authenticate and get put into the correct environment, and the “normal” users would be able to proceed as normal without any authentication being done. In my mind, I don’t know how we would prevent a developer from disabling authentication to bypass the security measures we put in place. Any thoughts? Thanks in advance.

Timothy Abbott · ‎02-08-2016

Hi Michael,

Without authentication that will be challenging to do. One possibility is if all the developers are on dedicated switches, the customer could configure them for use with ISE and thereby leaving the "normal" users alone on other switches. Another possible solution is to determine at the port level where the developers are in the network and configure those switch ports for use with ISE. Of course, this method won't prevent them from switching access ports to bypass security.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎02-08-2016

Hi Michael,

Without authentication that will be challenging to do. One possibility is if all the developers are on dedicated switches, the customer could configure them for use with ISE and thereby leaving the "normal" users alone on other switches. Another possible solution is to determine at the port level where the developers are in the network and configure those switch ports for use with ISE. Of course, this method won't prevent them from switching access ports to bypass security.

Regards,

-Tim

Jason Kunst · ‎02-08-2016

Another option would be to put corporate machines into a endpoint group and policy that allows them access via MAB

Or profile corporate devices dynamically with a different DHCP Identifier or perhaps key off the domain? If corporate domain allow access via MAB otherwise deny and redirect to a message portal saying your device is non-corporate asset and you will need to authenticate to the network with dot1x

Then if dot1x (non-corp) auth passed allow access to developer resources

mbuttnerMSI · ‎02-10-2016

Not sure if this is what you are looking for but the universal switch config guide was just updated significantly in january.

In there is one command they discuss which is:

epm access-control open

copy and paste from that guide is:

Note: This feature is useful in an environment where mixture of authz profiles that use dACL and ones that don’t. For example, user devices are enforced with dACL to limit access to the network, but no dACL is used on IP phones. When IP Phones are connected, the IP phone is authorized to the voice resources by MAB/802.1X (without dACL). When a user’s device is connected to the back of the IP Phone, the switch enforces user device dACL , which applies the ACL at the interface level. This denies IP access to the IP Phone, since the IP Phone lacks dACL for authorization. However, when this command is entered globally, the switch dynamically inserts ‘permit ip any any’ ACL for any sessions without dACL, including the IP Phone. This is also true for multiple devices connected through an unmanaged hub. If there are multiple devices already connected without dACL, then when a new device with dACL AuthZ is authenticated to the same interface that the unmanaged hub is connected to, then this feature applies ‘ip permit any any’ ACL to previously connected devices sessions.

I haven't tested that command in my environment at all, but it might be worth looking into.. Otherwise you are looking a MAB type or trying to profile dynamically to differentiate a user. You will get mixed results with the latter and do a lot of MAC administration with the former. Nothing is a perfect solution but think you could get one of those working.