Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2534
Views
0
Helpful
2
Replies

ISE Endpoint Profiling not updating when using docking stations

Arne Bier
VIP
VIP

‎02-02-2021 07:38 PM

Hello

 

Has anyone got any clever ideas how to handle the scenario where a docking station is shared across multiple computers for EAP-PEAP authentication?

 

The setup:

USB-C docking station is wired into a C9300 802.1X port (configured by DNAC 1.3.3.8 - it's all standard stuff) - the USB-C docking station is used by Windows 10 laptops as well as MACOS laptops. 

Both laptops have a supplicant, but since OSX doesn't have a concept of Computer auth, the OSX supplicant is configured with AD user credentials, which gets caught by a different ISE Authorization Rule. The Windows domain joined computers will hit another rule (AD machine account).  We want the Result Profile in ISE to be the same for either laptop, and the workaround was to add a check for the Operating System during Authorization - if it's a Mac and AD account is in a certain Group then it gets the correct result. It all works perfectly when you test these laptops on their own docking stations.

Except:

When unplugging the Windows laptop, and plugging in the MAC laptop on the same docking station USB-C cable, ISE still thinks that the device attached is a Windows OS, and hence fails the AuthZ because the supplied OSX AD creds are not in the Machine AD Group. The workaround is to clear the docking station MAC address in Context Visibility and then it works.

 

I have yet to check what the C9300's Device Sensor cache contains when the MACOS is connected - I suspect that the switch contains the correct DHCP data, and that it has passed it to ISE. I am unsure under which conditions ISE will unconditionally overwrite an Endpoint's profiled attributes to then cause a change in Endpoint Policy ??

BTW we have not enabled Anomaly Detection under the Profiler general Settings.

 

Surely this must be a common theme in the industry by now?  Is the answer that we need to have certificates on all devices instead of relying on AD accounts and device profiling?

 

ISE 2.7 p2

DNAC 1.3.3.8

IOS-XE 16.12.04 (Cat 9300)

 

Any hints appreciated

 

0 Helpful
2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎02-06-2021 10:12 PM

You are correct that no good solution today so this is a roadmap item.

0 Helpful

Gaj Anna
Level 1
Level 1
In response to hslai

‎03-13-2022 06:09 PM

Hello,

 

We have the same issue when connecting a Windows box and a MacBook behind the same docking station. Any update on the roadmap for a fix?

 

Note: Similar to Anyconnect using the UDID feature to identify the hosts (used for posture compliance) rather than depending on MAC, similar approach could be implemented with profiling too (Just my thoughts).

 

Any feedback appreciated,

 

Regards

Gaj Ana

 

0 Helpful
Customers Also Viewed These Support Documents