Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1022
Views
0
Helpful
5
Replies

Statically assign endpoints to a group as part of the authorization result.

marklevi
Cisco Employee
Cisco Employee

‎07-24-2019 02:37 PM

Is there any way to statically assign endpoints to a group as part of an authorization result. Or any way to capture the current population of devices so new devices can be identified. 

 

To accelerate the process of identifying new unauthorized devices in an environment, it would be useful to capture the existing population of devices as the known unknown "to be reviewed" device group. This group of devices could then be reviewed and moved into approved use cases with matching authorization rules .

Initially the default rule would be configured to assign any devices that hit it to the "to be reviewed" group.

After the existing devices have been captured in the group, a rule immediately before the default rule would be created to permit the known unknown devices. The new default rule would be used to trigger an immediate unauthorized device investigation. Many of these investigations will identify authorized devices that are not being on-boarded properly.

This would allow the "to be reviewed" group to be emptied over time. And once the unauthorized devices investigations have a low false positive rate the customer could change the default rule to a deny or guest access.

 

This process is dependent on capturing the initial list of grand fathered devices, and it seems that being able to statically assign endpoints to a group as part of the authorization result would be the simplest way.

 

 

0 Helpful
5 Replies 5

hslai
Cisco Employee
Cisco Employee

‎07-24-2019 07:13 PM

 

Endpoints gone through ISE hotspot portals or ISE BYOD will get assigned to static endpoint groups. Please review the info presented in the following two sections in ISE Profiling Design Guide:

0 Helpful

marklevi
Cisco Employee
Cisco Employee
In response to hslai

‎07-24-2019 07:57 PM

Unfortunately, those require someone to work through the portal to trigger the static assignment. I was looking for something that would capture IoT devices as well. I didn't think there was a solution, but was asked to reach out to the TME community. 

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to marklevi

‎07-27-2019 03:34 PM

We could use the assignments of Endpoint Custom Attributes or the like to differentiate known and pending-review. Such info can be used as authorization conditions.

0 Helpful

marklevi
Cisco Employee
Cisco Employee
In response to hslai

‎07-27-2019 10:36 PM

Custom attributes would actually work better than endpoint groups since we could allow the profiler to continue to group devices by type. But there still is not a simple way to add the attribute to all known devices... Maybe an export of all devices could be used to create the import file, but that seems more like a hack then simple solution.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to marklevi

‎07-28-2019 08:04 AM

Profiling Using the pxGrid Probe might be something to consider.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents