Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2200
Views
1
Helpful
4
Replies

ISE-PIC Identity Update when Roaming

Go to solution
tisnow
Cisco Employee
Cisco Employee

‎02-14-2018 05:20 PM - edited ‎02-21-2020 10:45 AM

If I have a user on wired that we've been able to capture identity information from a  kerberos login to AD.

The user then unplugs docking station and moves to wireless without logging off (current issue is that firewall then see's a new connection with unknown identity information)  — Is there any way ISE-PIC will see this IP address change if the only trigger is a new wireless association/login?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎02-15-2018 04:45 AM

Mr. Snow,

The logic for ISE-PIC is that the identity is mapped to the IP associated with AD login.  If client changes IP address, but not triggering updated login information via AD login or ticket refresh, or via other supported passive ID methods, then no change is made to IP address reported in pxGrid updates.

The logic for ISE which includes RADIUS auth is that once the session is merged with a RADIUS session, we can then associate the MAC address of the client to the passive ID session. (This also allows tracking of associated endpoint attributes like profile for policy matching!).   This association to MAC address allows user to move about or even change IP addresses within the allowed cache timeout and reconnect with same privileges based on original AD login id.   I have not tested, but this should also allow the IP address to be updated in pxGrid updates to firewall.

Craig

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Craig Hyps
Level 10
Level 10

‎02-15-2018 04:45 AM

Mr. Snow,

The logic for ISE-PIC is that the identity is mapped to the IP associated with AD login.  If client changes IP address, but not triggering updated login information via AD login or ticket refresh, or via other supported passive ID methods, then no change is made to IP address reported in pxGrid updates.

The logic for ISE which includes RADIUS auth is that once the session is merged with a RADIUS session, we can then associate the MAC address of the client to the passive ID session. (This also allows tracking of associated endpoint attributes like profile for policy matching!).   This association to MAC address allows user to move about or even change IP addresses within the allowed cache timeout and reconnect with same privileges based on original AD login id.   I have not tested, but this should also allow the IP address to be updated in pxGrid updates to firewall.

Craig

0 Helpful

Go to solution
tisnow
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎02-15-2018 05:04 AM

Sir Hyps,

That's great news...  To confirm, that if the client changes IP but doesn't trigger one of the methods of address detection (re-association, shutdown/logoff, etc) then we won't know.

But in this case, since I would be transitioning from wired to wireless, I will now have a new RADIUS session so a new binding is created.   Would this require ISE to be in Active as opposed to PIC mode as in your second example I understood that a passive ID learned from AD could be switched with a RADIUS message including MAC address.

Tim

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to tisnow

‎02-15-2018 05:11 AM

Correct.  If the change in connection does not trigger a new login that updates user to IP mapping, then only original will be seen and used for passive ID cache period.   If require more robust handling as previously described, then may require ISE with active auth--even if just MAB--to provide the updated binding to MAC and endpoint data.  This allows IP address to change for the user identity.

Let me update this  last reply as I did not take into account "change from wired to wireless".  In this case, there can be no continuity of the original login session since MAC is also changing.  This would require a new login to AD or other support passive ID method to create a fresh mapping with the new IP (and MAC if using ISE RADIUS).

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎02-15-2018 05:53 AM

Moved to pic Community after Craig’s latest update clarifying wired to wireless change

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents