Solved: ISE-PIC Identity Update when Roaming

tisnow · ‎02-14-2018

If I have a user on wired that we've been able to capture identity information from a kerberos login to AD.

The user then unplugs docking station and moves to wireless without logging off (current issue is that firewall then see's a new connection with unknown identity information) — Is there any way ISE-PIC will see this IP address change if the only trigger is a new wireless association/login?

Craig Hyps · ‎02-15-2018

Mr. Snow,

The logic for ISE-PIC is that the identity is mapped to the IP associated with AD login. If client changes IP address, but not triggering updated login information via AD login or ticket refresh, or via other supported passive ID methods, then no change is made to IP address reported in pxGrid updates.

The logic for ISE which includes RADIUS auth is that once the session is merged with a RADIUS session, we can then associate the MAC address of the client to the passive ID session. (This also allows tracking of associated endpoint attributes like profile for policy matching!). This association to MAC address allows user to move about or even change IP addresses within the allowed cache timeout and reconnect with same privileges based on original AD login id. I have not tested, but this should also allow the IP address to be updated in pxGrid updates to firewall.

Craig

View solution in original post

Craig Hyps · ‎02-15-2018

Mr. Snow,

The logic for ISE-PIC is that the identity is mapped to the IP associated with AD login. If client changes IP address, but not triggering updated login information via AD login or ticket refresh, or via other supported passive ID methods, then no change is made to IP address reported in pxGrid updates.

The logic for ISE which includes RADIUS auth is that once the session is merged with a RADIUS session, we can then associate the MAC address of the client to the passive ID session. (This also allows tracking of associated endpoint attributes like profile for policy matching!). This association to MAC address allows user to move about or even change IP addresses within the allowed cache timeout and reconnect with same privileges based on original AD login id. I have not tested, but this should also allow the IP address to be updated in pxGrid updates to firewall.

Craig

tisnow · ‎02-15-2018

Sir Hyps,

That's great news... To confirm, that if the client changes IP but doesn't trigger one of the methods of address detection (re-association, shutdown/logoff, etc) then we won't know.

But in this case, since I would be transitioning from wired to wireless, I will now have a new RADIUS session so a new binding is created. Would this require ISE to be in Active as opposed to PIC mode as in your second example I understood that a passive ID learned from AD could be switched with a RADIUS message including MAC address.

Tim

Craig Hyps · ‎02-15-2018

Correct. If the change in connection does not trigger a new login that updates user to IP mapping, then only original will be seen and used for passive ID cache period. If require more robust handling as previously described, then may require ISE with active auth--even if just MAB--to provide the updated binding to MAC and endpoint data. This allows IP address to change for the user identity.

Let me update this last reply as I did not take into account "change from wired to wireless". In this case, there can be no continuity of the original login session since MAC is also changing. This would require a new login to AD or other support passive ID method to create a fresh mapping with the new IP (and MAC if using ISE RADIUS).

Jason Kunst · ‎02-15-2018

Moved to pic Community after Craig’s latest update clarifying wired to wireless change

ISE-PIC Identity Update when Roaming

ISE Webinars

CiscoISE on YouTube