10-23-2012 01:48 AM - edited 03-10-2019 07:42 PM
Hi
Setup.
I want to be able to deny wireless network access for some computers during periods.
This is done ny moving the computer object to a specific AD group and use this in the ISE AuthZ policy.
Authentication is done with PEAP-MSCAHPv2 on the SSID
The first rulein the Authorization Policy is:
IF AD:group EQUALS x/x/deny_computer THEN 'Access_Reject'
And a bit further down:
IF Network Access:EapAuth EQUALS eap-mschapv2
AND AD:group EQUALS x/x/domain computers
AND radius:calling-station-id MATCHES .*(xxx_comp)$ THEN 'Access_permit' permit vlan 123
PEAP settings are not configured (PEAP session resume)
Problem:
If a fresh computer connects to the network and is in the 'deny_computer' group then it is blocked.
But if a computer already is authorized and then put in the 'deny_computer' its not blocked when the WLC session times out.
ISE do a reauth and jumps directly to the 'permit vlan 123' rule.
Is it possible to force the session to start over, to have ISE not to reauth the session?
Thanks
11-01-2012 01:01 AM
Hello Mikael-
Couple of questions:
1. Are you saying authentication succeeds if:
a. The timer on the WLC under "WLANs > WLAN_Name > Advanced > Enable Session Timeout" expires
b. The machine is placed in the "deny_computers" AD group
2. Is your deny rule above the permit rule? This is important because a computer is still a member of "Domain Computers" regardless if the fact that it is now also part of "deny_computers." Thus, if the permit rule is placed above the deny rule then authentication will succeed
11-01-2012 04:49 PM
Hi,
Ise has the ability to apple time based conditions to user authentication requests. You can also set session timeout conditions for specific users by using the radius attribute instead of globally enabling the session timeout for all users.
Let us know what your use case is.
Sent from Cisco Technical Support Android App
11-01-2012 05:51 PM
That is a very interesting solution Tarik! Can you confirm explain how you would go about and accomplish this? I took a look at my local test ISE instance and I am thinking that this would go under an authorization profile > authentication > Timer (see screen shot). Then you can assign that authorization profile to a certain domain group, etc.
11-03-2012 05:43 AM
Yes, its something like that Il looking for. In this case it would be for specific users, in a special AD group.
Were can I find/set the timeout conditions? And were are the global one?
(Can't find the one showing Neno)
BR
MIkael
11-04-2012 02:08 PM
Mikael-
The global timeout is located in the wireless lan controller under:
WLANs > WLAN_Name > Advanced > Enable Session Timeout
The option that I have in the screen shot can be found under an authorization profile in ISE:
Policy > Policy Elements > Results > Authorization > Authorization Profile
Once you have the authorization profile created you can build new authorizations rules and tie the two together. For example, you can say:
IF your external identity group = special users
then use authorization profile called 30-Min
Let me know if this makes sense and if not I can perhaps give you more details/screen shots
Thank you for rating helpful posts!
11-04-2012 07:07 PM
In ISE you can set the "session-timeout" attribute which is not a checkbox but it is under the advanced attribute settings under radius, and you can set a timer to whatever you like.
Thanks,
Sent from Cisco Technical Support iPad App
11-06-2012 09:00 AM
I did set session-timout to 60 in a AuthZ result Permit_v_time
After the first authentication I add my client to the group in AD that is for deny. Authentication with permit goes on, 5 minutes on the first try, 6 minutes on the second try and on the last try with WLC session timout turned of about 3 minutes, and then I get a deny access.
I do not realy understand how this works, whats with the 'around 5 minute' permit authentication and the deny?
Is it possible to do this in another way, to deny a user or a group of users access to the network during a certain period of time?
I have images but can't get them in to the post, just opens the image on the page.
Thanks.
11-06-2012 09:23 PM
I am a little confused by your last post. Can you confirm if I got this correct: You set the session timeout to 60 seconds. Then you moved the machine to the "Deny" group in active directory, however, the machine was still able to perform 5 (60 seconds x 5) successful authentications and then on the 6th min the machine was eventually denied access?
11-06-2012 11:22 PM
Yes and no, there is no consistency here.
The machin were moved to the deny group and I see (on the first sample) 10 x successfull authentications before the deny kicks in. The delay between every succefull authentications is diffrent.
Not using Chrome helped with UL pictures :-)
This is the first test from yesterday, first successfull authentica is when the machine gets connected,
11-07-2012 08:54 PM
Quick question: Is this in production or just your lab? The reason I am asking is because if it is production then ISE is most likely talking/querying more than one AD server. If that is the case then it is possible that once you make the changes in AD it takes 5-10 min for the changes to replicate across all of the AD servers in your domain.
I am guessing once the machine gets its first deny statement then it no longer gets any permit once, correct?
11-15-2012 11:57 AM
The one above is my lab. But that one is a copy from a production problem. So both :-)
In production the session time-out did not work, I need to look in to that some more.
Thanks.
Mikael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide