cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1892
Views
1
Helpful
4
Replies
tisnow
Cisco Employee

ISE-PIC Identity Update when Roaming

If I have a user on wired that we've been able to capture identity information from a  kerberos login to AD.

The user then unplugs docking station and moves to wireless without logging off (current issue is that firewall then see's a new connection with unknown identity information)  — Is there any way ISE-PIC will see this IP address change if the only trigger is a new wireless association/login?

1 ACCEPTED SOLUTION

Accepted Solutions
Craig Hyps
Advocate

Mr. Snow,

The logic for ISE-PIC is that the identity is mapped to the IP associated with AD login.  If client changes IP address, but not triggering updated login information via AD login or ticket refresh, or via other supported passive ID methods, then no change is made to IP address reported in pxGrid updates.

The logic for ISE which includes RADIUS auth is that once the session is merged with a RADIUS session, we can then associate the MAC address of the client to the passive ID session. (This also allows tracking of associated endpoint attributes like profile for policy matching!).   This association to MAC address allows user to move about or even change IP addresses within the allowed cache timeout and reconnect with same privileges based on original AD login id.   I have not tested, but this should also allow the IP address to be updated in pxGrid updates to firewall.

Craig

View solution in original post

4 REPLIES 4
Craig Hyps
Advocate

Mr. Snow,

The logic for ISE-PIC is that the identity is mapped to the IP associated with AD login.  If client changes IP address, but not triggering updated login information via AD login or ticket refresh, or via other supported passive ID methods, then no change is made to IP address reported in pxGrid updates.

The logic for ISE which includes RADIUS auth is that once the session is merged with a RADIUS session, we can then associate the MAC address of the client to the passive ID session. (This also allows tracking of associated endpoint attributes like profile for policy matching!).   This association to MAC address allows user to move about or even change IP addresses within the allowed cache timeout and reconnect with same privileges based on original AD login id.   I have not tested, but this should also allow the IP address to be updated in pxGrid updates to firewall.

Craig

Sir Hyps,

That's great news...  To confirm, that if the client changes IP but doesn't trigger one of the methods of address detection (re-association, shutdown/logoff, etc) then we won't know.

But in this case, since I would be transitioning from wired to wireless, I will now have a new RADIUS session so a new binding is created.   Would this require ISE to be in Active as opposed to PIC mode as in your second example I understood that a passive ID learned from AD could be switched with a RADIUS message including MAC address.

Tim

Correct.  If the change in connection does not trigger a new login that updates user to IP mapping, then only original will be seen and used for passive ID cache period.   If require more robust handling as previously described, then may require ISE with active auth--even if just MAB--to provide the updated binding to MAC and endpoint data.  This allows IP address to change for the user identity.

Let me update this  last reply as I did not take into account "change from wired to wireless".  In this case, there can be no continuity of the original login session since MAC is also changing.  This would require a new login to AD or other support passive ID method to create a fresh mapping with the new IP (and MAC if using ISE RADIUS).

Moved to pic Community after Craig’s latest update clarifying wired to wireless change

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube