Re: Removing ISE Authentication for PC Maintenance

mbahij · ‎05-15-2018

Hi,

One of my customer is facing an issue when on of the PC required IT maintenance.

Summary of issue faced:

Unable to authenticate the pc after technical support activities.

Exact cases to reproduce the error:

1- Des-join the pc from domain then à Do the required Maintenance on the PC then à try to rejoin it again. (Once dis-joined will lose the connectivity as long becomes not part of the domain).

2- Formatting the pc will lead to losing the connectivity as well.

3- Maintenance team need to engage ISE team in each time they need to do PC maintenance which is not practical.

Needed Solution:

To find a way for helpdesk representatives to be able to connect to the domain controllers and DHCP servers while doing the maintenance for the targeted pc.

Thank you for your support..

gbekmezi-DD · ‎05-15-2018

You can do MAB with restricted access as a workaround. Also, you could do some type of internal portal that lets the technician choose a PC to put in a “maintenance” endpoint group and while that thing is in the maintenance group it does MAB and gets restricted access.

mbahij · ‎05-15-2018

Hi George,

do you have a reference that showing how to do MAB and/or how to do this internal portal to be accessed by PC technician?

Thanks..

paul · ‎05-15-2018

I would advocate setting up a Temporary Bypass Portal concept using the MyDevices portal. I set this up on every ISE install to allow Help Desk and Desktop team to add a MAC address into a temporary bypass condition so they can reimage/troubleshoot an issue. The temporary white list gets purged out every night.

Basic steps:

Setup a RADIUS callback external authentication (RADIUS token server) definition so you can do AD group restrictions on My Devices portal. Only the sponsor portal allows AD group restrictions, the other portals require us to do the RADIUS callback trick. It is documented on the forums. As a side comment "Cisco seriously this callback thing has gone on long enough, surely it can't be hard to add AD restriction to other portal besides the sponsor portal."
Create a RADIUS callback sequence that uses the token server definition.
Setup a policy set for the RADIUS callback to allow the desired AD groups in the authorization phase.
Create an endpoint identity group to hold the Temp bypass MAC addresses.
Create a purge policy to purge the endpoint identity group out everynight.
Create a My Devices portal that use the RADIUS callback sequence and puts the MAC addresses into the endpoint identity group created in #4.
Add a rule to your wired MAB policy set to allow the endpoint identity group created in #4 full access to the network.

paul · ‎05-15-2018

Also I have written a executable that uses the ISE APIs to automatically add the MAC address of the machine the executable is run on to the temp bypass whitelist. Customers have added this to their build sequence. Most customers just use the temp bypass portal though.

Damien Miller · ‎05-15-2018

How has the radius token been working well for you in the mean time? I've had a client asking for authz rules on the my devices portal for over a year. It is a much needed feature to be able to use AD/LDAP groups to provide my devices portal access.

The guest reg portal has it, why can't this one Cisco?

paul · ‎05-15-2018

I used the RADIUS callback on every ISE install. I probably have 30+ installs using it and my colleagues us it as well.

Damien Miller · ‎05-15-2018

While not a very elegant solution, this only works if the technicians are physically at the machine. Create a static endpoint ID group, assign technicians usb nic's into the group while documenting who owns them. When they need to re-image a PC they can utilize the usb nic to gain network access.