ISE authentication

craig bache · ‎08-22-2013

HI All

I hope someone is able to help with the following:

We currently use ISE to authenticate domain users connecting to our corporate wifi. ISE checks Windows AD for the wireless policy. The issue is that once a machine connects to the wifi, it allows any user to connect regardless of whether that user is allowed access in a later policy.

We would like to configure authorization so that it uses Computer and User authorization, ie only if the computer and users are in AD, can the user successfully authenticate.

The problem with this config is that I can log onto a Corp laptop as a local user, and still get access to the Corporate Wifi.

The reason being that the connection hits the first rule which allows computer access, and doesn't check that the user authentication.

I'd therefore like to configure ISE so that it checks for computer and user authentication together, so that both parts need to be met before access is allowed.

Regards Craig

George Stefanick · ‎08-22-2013

Craig

Eap chaining will do what you want. But there are limitations ..

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_auth_pol.html

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Muhammad Munir · ‎08-23-2013

Hi Craig

Authentication policies define the protocols that Cisco ISE should use to communicate with the network

devices, and the identity sources that it should use for authentication. A policy is a set of conditions and

a result. A policy condition consists of an operand (attribute), an operator (equal to, not equal to, greater

than, and so on), and a value. Compound conditions are made up of one or more simple conditions that

are connected by the AND or OR operator. At runtime, Cisco ISE evaluates the policy condition and then

applies the result that you have defined based on whether the policy evaluation returns a true or a false

value.

Note: During policy condition evaluation, Cisco ISE compares an attribute with a value. It is possible to run

into a situation where the attribute specified in the policy condition may not have a value assigned in the

request. In such cases, if the operator that is used for comparison is “not equal to,” then the condition

will evaluate to true. In all other cases, the condition will evaluate to false.

Venkatesh Attuluri · ‎08-25-2013

EAP Chaining which uses a machine certificate or a machine username / password locked to the device through the Microsoft domain enrollment process. When the device boots, it is authenticated to the network using 802.1X. When the user logs onto the device, the session information from the machine authentication and the user credentials are sent up to the network as part of the same user authentication. The combination of the two indicates that the device belongs to the corporation and the user is an employee.

If the device is not a member of the domain, then the machine authentication fails and the device is not a corporate device. If the device does not support EAP Chaining, then the device is also not a corporate device. In either case, the result would be to treat these devices differently than the corporate device. That could be limited access for employee owned devices and out to the Internet for non-employee devices depending on corporate policy

For EAP Chaining configuration (trustsec design guide)

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf

Peter Koltl · ‎08-25-2013

Why can't ISE check user authorization when the laptop connects via WLAN? Don't you use 802.1X user auth on WLAN?

What is the first rule you mentioned that allows computer access?

Ravi Singh · ‎08-28-2013

I would request you to share the your ISE policy with us so that we can come to know how you implemented the authorization policies and check what is going wrong.