ISE session reauth

Mikael Gustafsson · ‎10-23-2012

Hi

Setup.

I want to be able to deny wireless network access for some computers during periods.

This is done ny moving the computer object to a specific AD group and use this in the ISE AuthZ policy.

Authentication is done with PEAP-MSCAHPv2 on the SSID

The first rulein the Authorization Policy is:

IF AD:group EQUALS x/x/deny_computer THEN 'Access_Reject'

And a bit further down:

IF Network Access:EapAuth EQUALS eap-mschapv2

AND AD:group EQUALS x/x/domain computers

AND radius:calling-station-id MATCHES .*(xxx_comp)$ THEN 'Access_permit' permit vlan 123

PEAP settings are not configured (PEAP session resume)

Problem:

If a fresh computer connects to the network and is in the 'deny_computer' group then it is blocked.

But if a computer already is authorized and then put in the 'deny_computer' its not blocked when the WLC session times out.

ISE do a reauth and jumps directly to the 'permit vlan 123' rule.

Is it possible to force the session to start over, to have ISE not to reauth the session?

Thanks

nspasov · ‎11-01-2012

Hello Mikael-

Couple of questions:

1. Are you saying authentication succeeds if:

a. The timer on the WLC under "WLANs > WLAN_Name > Advanced > Enable Session Timeout" expires

b. The machine is placed in the "deny_computers" AD group

2. Is your deny rule above the permit rule? This is important because a computer is still a member of "Domain Computers" regardless if the fact that it is now also part of "deny_computers." Thus, if the permit rule is placed above the deny rule then authentication will succeed

Tarik Admani · ‎11-01-2012

Hi,

Ise has the ability to apple time based conditions to user authentication requests. You can also set session timeout conditions for specific users by using the radius attribute instead of globally enabling the session timeout for all users.

Let us know what your use case is.

Sent from Cisco Technical Support Android App

nspasov · ‎11-01-2012

That is a very interesting solution Tarik! Can you confirm explain how you would go about and accomplish this? I took a look at my local test ISE instance and I am thinking that this would go under an authorization profile > authentication > Timer (see screen shot). Then you can assign that authorization profile to a certain domain group, etc.

Mikael Gustafsson · ‎11-03-2012

Yes, its something like that Il looking for. In this case it would be for specific users, in a special AD group.

Were can I find/set the timeout conditions? And were are the global one?

(Can't find the one showing Neno)

BR

MIkael

nspasov · ‎11-04-2012

Mikael-

The global timeout is located in the wireless lan controller under:

WLANs > WLAN_Name > Advanced > Enable Session Timeout

The option that I have in the screen shot can be found under an authorization profile in ISE:

Policy > Policy Elements > Results > Authorization > Authorization Profile

Once you have the authorization profile created you can build new authorizations rules and tie the two together. For example, you can say:

IF your external identity group = special users

then use authorization profile called 30-Min

Let me know if this makes sense and if not I can perhaps give you more details/screen shots

Thank you for rating helpful posts!

Tarik Admani · ‎11-04-2012

In ISE you can set the "session-timeout" attribute which is not a checkbox but it is under the advanced attribute settings under radius, and you can set a timer to whatever you like.

Thanks,

Sent from Cisco Technical Support iPad App

Mikael Gustafsson · ‎11-06-2012

I did set session-timout to 60 in a AuthZ result Permit_v_time

After the first authentication I add my client to the group in AD that is for deny. Authentication with permit goes on, 5 minutes on the first try, 6 minutes on the second try and on the last try with WLC session timout turned of about 3 minutes, and then I get a deny access.

I do not realy understand how this works, whats with the 'around 5 minute' permit authentication and the deny?

Is it possible to do this in another way, to deny a user or a group of users access to the network during a certain period of time?

I have images but can't get them in to the post, just opens the image on the page.

Thanks.

nspasov · ‎11-06-2012

I am a little confused by your last post. Can you confirm if I got this correct: You set the session timeout to 60 seconds. Then you moved the machine to the "Deny" group in active directory, however, the machine was still able to perform 5 (60 seconds x 5) successful authentications and then on the 6th min the machine was eventually denied access?

Mikael Gustafsson · ‎11-06-2012

Yes and no, there is no consistency here.

The machin were moved to the deny group and I see (on the first sample) 10 x successfull authentications before the deny kicks in. The delay between every succefull authentications is diffrent.

Not using Chrome helped with UL pictures :-)

This is the first test from yesterday, first successfull authentica is when the machine gets connected,

nspasov · ‎11-07-2012

Quick question: Is this in production or just your lab? The reason I am asking is because if it is production then ISE is most likely talking/querying more than one AD server. If that is the case then it is possible that once you make the changes in AD it takes 5-10 min for the changes to replicate across all of the AD servers in your domain.

I am guessing once the machine gets its first deny statement then it no longer gets any permit once, correct?

Mikael Gustafsson · ‎11-15-2012

The one above is my lab. But that one is a copy from a production problem. So both :-)

In production the session time-out did not work, I need to look in to that some more.

Thanks.

Mikael