08-22-2013 02:43 PM - edited 03-10-2019 08:48 PM
HI All
I hope someone is able to help with the following:
We currently use ISE to authenticate domain users connecting to our corporate wifi. ISE checks Windows AD for the wireless policy. The issue is that once a machine connects to the wifi, it allows any user to connect regardless of whether that user is allowed access in a later policy.
We would like to configure authorization so that it uses Computer and User authorization, ie only if the computer and users are in AD, can the user successfully authenticate.
The problem with this config is that I can log onto a Corp laptop as a local user, and still get access to the Corporate Wifi.
The reason being that the connection hits the first rule which allows computer access, and doesn't check that the user authentication.
I'd therefore like to configure ISE so that it checks for computer and user authentication together, so that both parts need to be met before access is allowed.
Regards Craig
08-22-2013 07:11 PM
Craig
Eap chaining will do what you want. But there are limitations ..
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_auth_pol.html
Sent from Cisco Technical Support iPad App
08-23-2013 02:15 AM
Hi Craig
Authentication policies define the protocols that Cisco ISE should use to communicate with the network
devices, and the identity sources that it should use for authentication. A policy is a set of conditions and
a result. A policy condition consists of an operand (attribute), an operator (equal to, not equal to, greater
than, and so on), and a value. Compound conditions are made up of one or more simple conditions that
are connected by the AND or OR operator. At runtime, Cisco ISE evaluates the policy condition and then
applies the result that you have defined based on whether the policy evaluation returns a true or a false
value.
Note: During policy condition evaluation, Cisco ISE compares an attribute with a value. It is possible to run
into a situation where the attribute specified in the policy condition may not have a value assigned in the
request. In such cases, if the operator that is used for comparison is “not equal to,” then the condition
will evaluate to true. In all other cases, the condition will evaluate to false.
08-25-2013 07:27 AM
EAP Chaining which uses a machine certificate or a machine username / password locked to the device through the Microsoft domain enrollment process. When the device boots, it is authenticated to the network using 802.1X. When the user logs onto the device, the session information from the machine authentication and the user credentials are sent up to the network as part of the same user authentication. The combination of the two indicates that the device belongs to the corporation and the user is an employee.
If the device is not a member of the domain, then the machine authentication fails and the device is not a corporate device. If the device does not support EAP Chaining, then the device is also not a corporate device. In either case, the result would be to treat these devices differently than the corporate device. That could be limited access for employee owned devices and out to the Internet for non-employee devices depending on corporate policy
For EAP Chaining configuration (trustsec design guide)
08-25-2013 12:02 PM
Why can't ISE check user authorization when the laptop connects via WLAN? Don't you use 802.1X user auth on WLAN?
What is the first rule you mentioned that allows computer access?
08-28-2013 08:33 PM
I would request you to share the your ISE policy with us so that we can come to know how you implemented the authorization policies and check what is going wrong.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide