07-28-2014 04:59 AM - edited 03-10-2019 09:53 PM
Hi,
I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
the Web Authentication cause the endpoint is already in the internal endpoint store.
What's the better way to solve this problem ?
Thanks in Advanced
Andre Gustavo Lomonaco
07-29-2014 01:12 AM
Make sure that the "Identity Store" or the "Identity Store Sequence" selected in your authentication is not set to "Internal Endpoints."
Thank you for rating helpful posts!
07-29-2014 12:39 PM
Hi Neno, let me clarify my question
I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers. I'm using Profile to be able to populate this ISE internet database.
Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.
07-29-2014 01:59 PM
So a couple of things:
1. If you are on ISE v1.2.x then you can create policy sets which will allow you to separate the authentication scenarios
2. If you can't use policy sets and you must use the "Internal Endpoints" in the identity sequence, then you just need to make sure that your "Allowed Protocols" is set to allow "PAP_ASCII - Host Lookup." That way the authentication will pass and the session will be send to the authorization step
Thank you for rating helpful posts!
07-30-2014 12:47 PM
You should use Endpoint Identity Groups (e. g. IP Phones, Access Points and Printers) in the Authentication and Authorization policy rules instead of just matching a rule if an endpoint is present in the database. The profiled workstations will not get into IPphone or AP group and will not circumvent web auth.
11-18-2014 11:22 PM
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_30_ise_profiling.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide