04-29-2013 01:02 PM - edited 03-10-2019 08:22 PM
Hi,
We want to deploy ISE in sequencial order, meaning that I will initially have all users authenticate/authorized with dot1x/MAB etc, then only on certain locations or users to have posture condition validation/verification while others not.
Can someone please advise whether this approach is possible, as far I understand, once you have posture policies in place as authorization rule it will hit all the users. This may be possible where you can match the switch or the location as a seperate condition, but if all users are spread/mixed we just need to find a simple way how to do it or whether it is not possible..?
04-30-2013 05:12 AM
Hi,
Of course you can do that.
As you've said, you have authorization rules that control what happens to users/devices after they are authenticated.
For example:
a)
1. If user belongs to HR group, authorize and that's all.
2. If user belongs to domain users, and posture status not equals compliant, do a posture check
3. If user belongs to domain users and posture status equals compliant, authorize.
b)
1. If radius request comes from SW_A (located at floor 15 because HR users work there) and user belongs to domain users, authorize.
For everybody else, it's like in the first example.
Further more, you can do the same thing with dot1x implementation. (open mode phase, low impact phase and closed mode).
Check trustsec deployment options:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
05-02-2013 04:33 PM
Hi,
We have modified the attached policy on rule 04 and 05 (from top) and add a new condition Device location
Equal "Switch1".According to this rule any user connected to Switch1 only do the posture and same user PC
connect any other switch (other than switch1), it should do only the dot1x/MAB (rule 1-3).
But in our case user PC connect any other switch than switch1, it hit the ISE default policy
(not included in this attachement) and also it pop-ups the NAC agent and do the posturing.
Questions
-why the PC/user is not hitting rule 1-3 and goes to default rule
-why the PC/user is doing posture where there's no posture rule hitting.
We only need any user connects switch1 do dot1x and posture and other user connect any other switch (not switch1)
should only do dot1x.
Please let me know what configuration should exactly modify to have above requirement.
Also appreciate if someone can advise what is the best option to immediately rollback any user
not to do do1x and posture without modify anything on switch or user PCs and using simply task (1 or 2 click)
from the ISE. We know on old NAC we have option to select the port and say Control or Uncontrol.
Thanks in advance..
05-02-2013 11:51 PM
We have modified the attached policy on rule 04 and 05 (from top) and add a new condition Device location
Equal "Switch1".According to this rule any user connected to Switch1 only do the posture and same user PC
connect any other switch (other than switch1), it should do only the dot1x/MAB (rule 1-3).
But in our case user PC connect any other switch than switch1, it hit the ISE default policy
(not included in this attachement) and also it pop-ups the NAC agent and do the posturing.
Questions
-why the PC/user is not hitting rule 1-3 and goes to default rule
-why the PC/user is doing posture where there's no posture rule hitting.
Hi,
First of all, I would assume you configured the PC for machine or user authentication.
So, when a user connects to the network using other switch but not switch1, it will get 2 hits:
1. Computer authentication - this PC is part of Domain Computers
2. Default rule - because you configured (domain) user authentication for dot1x requests that are received only from switch1!
You haven't specified a rule for domain users alone (with no location condition) and with no posture.
You have to add something like this:
1. dot1x + Domain PC
2. dot1x + Domain User + location + preposture
3. dot1x + Domain User + location + posture compliant
4. dot1x + Domain User (and no posture condition)
To answer your second question, event though you 've excepted a certain user from posture, if NAC Agent is installed, it will popup and it will say that you're compliant, so practically it isn't doing posture
(http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html)
Generating a Posture Requirement
The run-time services requests for the posture requirement for the endpoint by looking up at the role to which the user belongs to and the operating system on the client. If you do not have a policy associated with the role, then the run-time services communicate to the NAC Agent with an empty requirement. If you have a policy associated with the role, then the run-time services run through the posture policies through one or more requirements associated with the policies and for each requirement through one or more conditions.
If you want to rollout for posture, you could use exception rules (check the top section of authorization rules) or you could do only posture audit for your rules so that everyone can get network access event though they're not compliant.
05-05-2013 01:04 AM
Hi Szolga,
Many thanks for your time on responding to my querries.
I will diffinately test on above senario and let you know.
05-03-2013 06:05 PM
Hello,
I went through your query and found below link which would help in solving your query:-
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.pdf
05-05-2013 01:45 AM
Hi Harvinder,
Thanks for your time and the response on this. I will let you know if I have any further question on this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide