Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
599
Views
2
Helpful
1
Replies

ISE condition based on passive-id lookup failure ?

Go to solution
mulatif
Cisco Employee
Cisco Employee

‎11-06-2017 07:33 PM

Hi,

Is it possible to have the below flow ?

1. Authz profile with passive-id tracking (ACL-A applied)

2. Passive-ID success (CoA and now apply ACL-B)

OR

3. Passive-ID look-up failure i.e. User not found (CoA and now apply ACL-C)

I am struggling to find on how to detect "passive-id --> User not found"  condition ?

The desired use-case\flow

1. Endpoint connected and limited ACL applied as needed for AD-Login (Passive-ID tracking enabled)

2. If Passive-ID is a success then Employee-ACL applied.

3. If Passive-ID look-up doesn't find the User then Guest-ACL applied.

I understand that we can probably add-on Guest Access to the "limited ACL" (In the Passive-ID tracking Authz rule) , if the above is not possible.

Thanks,

Naman

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎11-06-2017 08:12 PM

The Passive ID tracking option essentially states "for any user authorized with this policy, watch for any merged entries and issue CoA".  By merged entry, I am referring to case where a RADIUS session is correlated wit a Passive ID session based on matching IP address.

If there is no tracking enabled or if there is tracking but no merger of entries, then there will be no lookup based on Passive Identity.  In other words, if Passive ID lookup fails, then there is no merged entry to start with.  A tracked entry that is merged will trigger a CoA.  On reauth there will be option to match on Passive ID attributes.  Along with original authorization or post-merge authorization, you can choose to assign ACL, VLAN, SGT, etc.

Likely what you want is to combine limited access ACL (AD-Login) with Guest ACL or a CWA authorization to redirect web to a guest portal.  If AD user logs in, then they will match Employee Policy.  If not, then they will get redirected to guest portal.

Craig

View solution in original post

1 Reply 1

Go to solution
Craig Hyps
Level 10
Level 10

‎11-06-2017 08:12 PM

The Passive ID tracking option essentially states "for any user authorized with this policy, watch for any merged entries and issue CoA".  By merged entry, I am referring to case where a RADIUS session is correlated wit a Passive ID session based on matching IP address.

If there is no tracking enabled or if there is tracking but no merger of entries, then there will be no lookup based on Passive Identity.  In other words, if Passive ID lookup fails, then there is no merged entry to start with.  A tracked entry that is merged will trigger a CoA.  On reauth there will be option to match on Passive ID attributes.  Along with original authorization or post-merge authorization, you can choose to assign ACL, VLAN, SGT, etc.

Likely what you want is to combine limited access ACL (AD-Login) with Guest ACL or a CWA authorization to redirect web to a guest portal.  If AD user logs in, then they will match Employee Policy.  If not, then they will get redirected to guest portal.

Craig

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents