cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
488
Views
5
Helpful
6
Replies

Only Run for New Network Devices

airgangles
Level 1
Level 1

I would like to create an auth rule that only runs once when a new device connects to my network via RADIUS for the first time. For example, a new iPhone attempts to authenticate on the network, it passes AD auth and then will require this second form of auth as well. On any future auth attempts, it will bypass the second auth since it has already successfully authenticated previously (assuming it passed both auth methods on the first connection attempt). Is there a variable I can use to check if a device has been previously successfully authenticated (passing both auth methods)? Thanks!

6 Replies 6

paul
Level 10
Level 10

How do you envision this first auth working?  At the network level you have MAB and Dot1x.  If the device is configured to do Dot1x, which a phone can be configured to do, it will do Dot1x every time.  If you are talking MAB there are no credentials unless you bring the session into a portal in ISE and collect them.  At that point you could then map the device into an identity group.  That identity group could be allowed on for future connections.

 

Not sure exactly what you are trying to accomplish.

The profile currently uses Dot1x with AD as the auth. This second auth will be an external RADIUS token server that will only require auth if the device has not successfully authenticated before.

 

Here is the workflow:
New iPhone (first time connecting to network) -> Authenticate with AD creds -> Receive two-factor push notification -> Network Access granted

Existing iPhone (has already passed both auth methods previously) -> Authenticate with stored AD creds -> Network Access granted

What type of device are we talking about? What you are describing would have to be parsed out in the authentication phase I think.



If you are talking about a device that supports a web browser then you could do this flow:



Authentication phase is strictly AD.

Authorization phase looks like this:



If MAC address is in identity group called MFA_Auth and AD credentials are in the correct AD group then allow on the network.

If AD credentials are in the correct AD group allow access but redirect the user to a guest portal in ISE.



Then you configure the guest portal to use the MFA server as an authenticator and put successful user's MAC addresses into the MFA_Auth identity group.



Finally, you can decide how often to purge the MFA_Auth identity group, i.e. you want the MFA process to be done once every 30 days. Or never purge it.


I do have some devices without a browser (notably some Cisco IP Phones) but I understand your idea. I guess I was really looking for a way to identify a "trusted" device. Is there any way to implement your idea without the need for the guest portal? Side note: the second level auth will take the standard RADIUS creds used for AD authentication.

If the MFA solution is decent it can do what you are asking as well. I have customers using Azure MFA and it is smart enough to not ask for MFA every time. The first time I VPN to the customer each day I have to do MFA, but subsequent times I am not asked to do MFA. All the RADIUS traffic is sent to Azure and implements the policy of how often MFA happens.




Hmmmm, well I intended on using Duo for the second level auth but I also have AAD Premium at my disposal. I would really use whichever one works best.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: