Re: ISE Authentication using MAC AND AD group

Drthrax · ‎03-11-2020

Hi ,

I am trying to build a policy to authenticate both Machine's MAC + The user should be a member of a special group in AD . I AM NOT USING 802.1X in my setup . My NAD is an ASA .

the user authentication is already done , I just want to know how to also add ( AND ) certain MAC address to the policy that are already added manually on ISE .

kindly advise .

thanks !

Colby LeMaire · ‎03-11-2020

Assuming that your MAC addresses are all placed into an endpoint identity group in ISE, you should be able to check that the endpoint is a member of that group in your authorization policy. If you tried that and it isn't matching your rule, then open up the details of the authentication event in Radius Live Logs and scroll down on the left side to verify what attributes are available to use as a condition in your rule. Make sure the endpoint identity group is showing up properly there. If not, then make sure the "calling-station-id" is actually the MAC address of your client. It would also help if you post a screenshot of the rule you are trying to use.

Drthrax · ‎03-11-2020

Hi
Actually the problem is I can't seem to find what element of the authorization should I match ( ex for users there is something called identity group : Employee ) but for the mac qddress I already have them in endpoint file but i cant seem to build the policy based on mac . What is the element to match Mac addresses called in authorization condition
Regards

Colby LeMaire · ‎03-11-2020

Have you tried to use "IdentityGroup-Name EQUALS Endpoint Identity Group:<your group name>"?

Drthrax · ‎03-11-2020

It only shows groups related to users not to endpoints
Any ideas ?

kthiruve · ‎03-11-2020

Here is the procedure to check if MAC address is added to a whitelist group called "IOT devices".

1. Add the MAC address to the Endpoint ID groups (Workcenter > Network Access > ID Groups)

e.g: IOT devices

2. Add the Endpoint ID group to the authorization policy ( Workcenter > NEtwork access > Policy sets > Authorization policy) and add a condition, select 'Identity Groups -> Name' as attribute and value is "Endpoint ID Groups: IOT devices"

Further you can combine the condition with AD groups to check the user.

You need to create a tunnel group in ASA for authorization only. Make sure the VPN devices provides user information to ISE for it to verify.

On a different note, If you have Anyconnect you can use ACIDEX extension to check attributes sent to ISE.

Thanks

Krishnan

Drthrax · ‎03-12-2020

Kindly check attached to see if that is what you mean , in addition this should work withour having 802.1x in my environment right ?

Cristian Matei · ‎03-11-2020

Hi,

If you want to add the MAC address as additional condition in ISE, in your authorization policy, look for "RADIUS:Calling-Station-ID) attribute and put the value of your MAC address in the form of AA:AA:AA:AA:AA:AA. This is for one MAC address, so i guess you don't want to do one rule per MAC address.

To match on multiple MAC addresses, in your authorization policy, look for "RADIUS:Called-Station-ID) attribute and select your Endpoint Group.

Regards,

Cristian Matei.

Drthrax · ‎03-11-2020

Hi Christian ,
Thank you for this solution, but I think it will not work since I am NOT using 802.1x so there is no radius session between ISE and endpoint .

Cristian Matei · ‎03-12-2020

Hi,

If the endpoint is authenticated by ISE, there is a RADIUS session, but not between ISE and endpoint, but between ISE and NAD. So the endpoint passes authentication through ISE, thus you're configuring the authorization policy next, in order to match on the MAC address as a condition as well.

Regards,
Cristian Matei.