Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1161
Views
0
Helpful
7
Replies

Profiling Conditions with AD security groups

Waldis
Level 1
Level 1

‎02-04-2020 04:36 AM

Hey

 

Can you some how profile a computer with a certain AD-security group?

 

Under Work Centers ->Policy Elements -> Profiler Conditions I find the Profiler List.

Here I can create a new condition with the *Type ACTIVEDIRECTORY_PROBE then I can chose AD-xxx-xxx value.

I want to use the value "AD-Groups-Names" but cant find it here, is there somewhere else I can use this value to profile my endpoints?

 

0 Helpful
7 Replies 7

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-04-2020 08:51 AM

My recommendation would be to identify other attributes that you can utilize to profile and not be focused on your idea of AD sec group. Reason being is even if this was possible (which AKAIK it's not) what if your AD team began moving objects without consulting the network team? IMHO this could present road bumps and potentially cause onboarding issues if you are/were planning to push authz policy based on profiled endpoints.
You do have the ability to create custom attributes. As far as custom attributes I am pretty sure ISE supports up to 100 custom attributes. Note that you have to manually update endpoints, and that you do have a couple of options to accomplish this. Best bet would probably be to use REST APIs. The link below should definitely help:
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎02-04-2020 02:16 PM

A more common (and effective) approach is to use active identity via 802.1x with AD integration and create AuthZ Policies using the ExternalGroups matching condition.

See the ISE Secure Wired Access Prescriptive Deployment Guide for more info

 

Cheers,

Greg

0 Helpful

Waldis
Level 1
Level 1
In response to Greg Gibbs

‎02-05-2020 01:07 AM

I have tried to use active identity via 802.1x with AD integration and create AuthZ Policies using the ExternalGroups,works like a charm when the user is not logged on. But since user credentials exceeds computer credentials security groups it doesn't matter witch security group the computer is connected to when the user logs on.

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Waldis

‎02-05-2020 05:34 AM

Are you using NAM or the native supplicant? If using the native supplicant and you wish to only auth the computer specify the NIC authentication mode to computer authentication only. Then you can authz computers via dot1x with eap-tls or whatever you are using and utilize AD sec groups to push policy.
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎02-05-2020 12:32 PM

To expand a bit on what @Mike.Cifelli states above, this is how the Windows native supplicant works. Windows has two states; User and Computer.

If the authentication mode in the supplicant is set to 'User or Computer, when the PC first boots prior to the User logging in (or when the user logs out), Windows is in the Computer state. In this state, the supplicant presents the Computer credential (either computer name and password for PEAP-MSCHAPv2, or the computer certificate for EAP-TLS).

When the user logs in, the state changes, and the user credential is presented. This also creates a new RADIUS session in ISE and terminates the older session.

If you want to use 'User or Computer' authentication, you would need to create separate AuthZ Policies for the two states and match on the respective ExternalGroups (e.g. Domain Computers, Domain Users, or something more specific).

If you only want to authenticate the Computer, you should change the authentication mode to Computer Only.

 

Cheers,

Greg

0 Helpful

Waldis
Level 1
Level 1
In response to Greg Gibbs

‎02-06-2020 01:15 AM

Hey

First of all, thanks for quick answers.

 

You are both on point! :)

 

Normaly this is no problem using supplicant authentication mode "User or Computer".
Thats what we use today, but in this special case I need to use "User and Computer"
to make a sertain AuthZ-rule apply.
And since thats not possible, unless you use Cisco anyconnect, I wanted to profile
the computer as a sertain type using the attrubite "AD-Groups-Names" so that the
AD-"ExternalGroups" matching condition of the Computer Security Group gets applied in the profile.
After that I can use use User-credentials to do a policy set and dont worry about the
Computer-credentials cause it is allready applied in the profiled endpoint.

 

This might sound a bit wierd and a long way to go to get this working,
but this is I thought was possible to do.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Waldis

‎02-06-2020 01:00 PM

Thanks for the explanation. It's more clear what you are trying to achieve now. Basically, you're trying to bolt together the active computer identity from 802.1x with the passive user identity from the AD Probe to achieve a similar outcome as EAP Chaining.

While this might be possible, it's not a validated design by the BU so I can't speak to how consistent it will be.

To achieve this, you would need to change the Windows supplicant to use the 'Computer Only' authentication method. You would then need to build your AuthZ Policy for both states.

  1. Computer auth only via 802.1x (for pre-user login state)
  2. Computer auth + AD Profiled condition (for post-user login state)

The alternative is to wait for official MS support for Tunnel EAP (RFC 7170) which is standards-based EAP Chaining. TEAP is supported in ISE 2.7, but currently only available for testing in Windows via the Windows Insider program.

 

Cheers,

Greg

0 Helpful
Customers Also Viewed These Support Documents