02-14-2018 05:20 PM - edited 02-21-2020 10:45 AM
If I have a user on wired that we've been able to capture identity information from a kerberos login to AD.
The user then unplugs docking station and moves to wireless without logging off (current issue is that firewall then see's a new connection with unknown identity information) — Is there any way ISE-PIC will see this IP address change if the only trigger is a new wireless association/login?
Solved! Go to Solution.
02-15-2018 04:45 AM
Mr. Snow,
The logic for ISE-PIC is that the identity is mapped to the IP associated with AD login. If client changes IP address, but not triggering updated login information via AD login or ticket refresh, or via other supported passive ID methods, then no change is made to IP address reported in pxGrid updates.
The logic for ISE which includes RADIUS auth is that once the session is merged with a RADIUS session, we can then associate the MAC address of the client to the passive ID session. (This also allows tracking of associated endpoint attributes like profile for policy matching!). This association to MAC address allows user to move about or even change IP addresses within the allowed cache timeout and reconnect with same privileges based on original AD login id. I have not tested, but this should also allow the IP address to be updated in pxGrid updates to firewall.
Craig
02-15-2018 04:45 AM
Mr. Snow,
The logic for ISE-PIC is that the identity is mapped to the IP associated with AD login. If client changes IP address, but not triggering updated login information via AD login or ticket refresh, or via other supported passive ID methods, then no change is made to IP address reported in pxGrid updates.
The logic for ISE which includes RADIUS auth is that once the session is merged with a RADIUS session, we can then associate the MAC address of the client to the passive ID session. (This also allows tracking of associated endpoint attributes like profile for policy matching!). This association to MAC address allows user to move about or even change IP addresses within the allowed cache timeout and reconnect with same privileges based on original AD login id. I have not tested, but this should also allow the IP address to be updated in pxGrid updates to firewall.
Craig
02-15-2018 05:04 AM
Sir Hyps,
That's great news... To confirm, that if the client changes IP but doesn't trigger one of the methods of address detection (re-association, shutdown/logoff, etc) then we won't know.
But in this case, since I would be transitioning from wired to wireless, I will now have a new RADIUS session so a new binding is created. Would this require ISE to be in Active as opposed to PIC mode as in your second example I understood that a passive ID learned from AD could be switched with a RADIUS message including MAC address.
Tim
02-15-2018 05:11 AM
Correct. If the change in connection does not trigger a new login that updates user to IP mapping, then only original will be seen and used for passive ID cache period. If require more robust handling as previously described, then may require ISE with active auth--even if just MAB--to provide the updated binding to MAC and endpoint data. This allows IP address to change for the user identity.
Let me update this last reply as I did not take into account "change from wired to wireless". In this case, there can be no continuity of the original login session since MAC is also changing. This would require a new login to AD or other support passive ID method to create a fresh mapping with the new IP (and MAC if using ISE RADIUS).
02-15-2018 05:53 AM
Moved to pic Community after Craig’s latest update clarifying wired to wireless change
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide