Solved: Using IP address/subnet as an authorization rule in an ISE policy set?

Shaan · ‎03-07-2019

Scenario:

I have a MAB policy set where I permit various endpoints with some different profiler policies/logical profiles I’ve defined. Then the last rule is a default deny access.

We have a subnet which we allow guests to connect on, and we want them to get permitted regardless of what device they bring. So I want to add a rule just before the last rule which would permit any device coming from that subnet – I don’t care what profiler policy it matched. The problem is I can’t figure out a way to get this to work.

What I’ve tried/considered:

Create an “Endstation Network Condition” matching my subnet and use this in the policy rule. This unfortunately doesn’t work when I use a subnet but I noticed that it works if I use MAC addresses, presumably because the Radius Caller Station ID is a MAC address.
Create a condition to match on Radius Framed-IP-Address. This would almost work but the only options ISE gives you are Equals and Not Equals. I’m trying to match a /14 so listing every single IP address out isn’t possible.
Creating a profiler policy with a single check (IP address starts with) and giving it a really high certainty factor to outweigh all other profiler policies. This technically would work but then I’d lose the easy visibility of whether something is a Macbook/Windows Workstation/etc. because the endpoint profile would be getting overridden with this new one. That won’t work for us.
Give those guest ports an interface description like “Guest” and then in ISE use the SNMP probe to see this description and make that into a condition? I haven’t been able to get ISE to pull the interface description though, it just says ifDescr is for example “GigabitEthernet0/1”.

Any ideas on how to accomplish this are appreciated.

Thanks!

Shaan

howon · ‎05-06-2019

I suggest 'VLAN ID in NAS-ID attribute' option instead of 'mab eap'. Both are limited to MAB, but first option doesn't alter identity and simpler to implement.

View solution in original post

vickyviveku · ‎03-07-2019

Hello, We can have the domain base policy. Thing your organization i using the certain domain, apart from domain falls under different rule ( Guest will we in different domain or work group ). Create a /20 segment restricted VN and you can have the specific access allowed for the created segment. Create a rule with non domain laptops falls to this rule and the non domain laptops falls under non-compliant as well. Access restriction for posture non-compliant machines – we need to create an SGT (say Posture_NC) and define the policy in DNA to restrict the access to ISE. Posture NC machines also we will use the VN which is configured in a different VN with restricted access.

Jason Kunst · ‎04-29-2019

i see you posted to our internal PM community. Why can't you just assign an SGT to utilize? Or if guest flow or guest endpoint give a different authorization profile?

Mike.Cifelli · ‎04-29-2019

I think you are on the right track with idea #3. You can accomplish what you would like using the AD probe 'AD-Host-Exists' equals false. Since these guests hosts are not a member of AD you can profile the endpoints that way and reference that profiled endpoint group in your authz condition. I personally do not think you will lose the visibility of whether the guests hosts are mac or windows etc. You will still have other attributes collected. If you really wanted you can create a child policy using your new AD host exists profile as the parent. What this will do is ensure the host is not a member of the domain and then match a child policy let's pretend for a mac host. For example:

Parent policy: Domain Host Check -- AD-Host-Exists
Child policy: Macbook Check -- whatever attribute you decide to match

Then you will know if a host is profiled as Macbook Check that it is a) not a member of the domain b)a guest workstation identified as a MAC

HTH!

Shaan · ‎04-30-2019

Mike,

Interesting idea. In this case it wouldn't work for me though because we also have a bunch of other devices (security cameras, printers, etc.) that are allowed onto the network using profiling and they aren't joined to the domain. Cisco TAC and AS also looked into this and they said this specific flow can't be done today. I think a feature request is in the works though.

Thanks!

howon · ‎05-03-2019

Option 4 would be the best. Currently the IOS cannot send interface description, but can send data VLAN ID/Name that the interface is configured with 'switchport access vlan XXX' command. The other option is to use 'mab eap' on the specific guest interfaces where ISE can differentiate based on MAB request protocol. I have documented few options here: https://community.cisco.com/t5/security-documents/advanced-ise-tips-to-make-your-deployment-easier/ta-p/3850189#toc-hId--1934452079

Shaan · ‎05-06-2019

Thanks so much for this info. It would be great if IOS could send the interface description. And VLAN ID/Name is useful too, although unfortunately most of our switches are on 16.x but before 16.12 where this was fixed. I will try out the "mab eap" idea and report back.

howon · ‎05-06-2019

I suggest 'VLAN ID in NAS-ID attribute' option instead of 'mab eap'. Both are limited to MAB, but first option doesn't alter identity and simpler to implement.

Shaan · ‎05-06-2019

I've been testing this out and I am able to get it working. One caveat I have noticed is that if the MAC address is already in ISE, I have to delete the endpoint first for the new NAS-Identifier attribute to show up in ISE (and thus hit the correct authorization rule).

hslai · ‎05-11-2019

The caveat seems due to how the rules are ordered in the authorization policy of your policy set. If you would like such to pre-exempt all others, we could move it to Local/Global Exceptions.

Shaan · ‎05-06-2019

I tried the 'mab eap' method but am running into an issue. I configured 'mab eap' on the switchport, and in ISE I configured the policy condition to simply match the switch the request is coming from, and then an authorization rule for eap authentication = eam-md5. However on the switch, when the endpoint connects, it looks like this:

Switch#
May 6 10:24:19.540: %DOT1X-5-FAIL: Authentication failed for client (949a.a927.9cb2) on Interface Gi0/10 AuditSessionID 0A909A4800003EC8EA4D4CC9
May 6 10:24:19.558: %MAB-5-FAIL: Authentication failed for client (949a.a927.9cb2) on Interface Gi0/10 AuditSessionID 0A909A4800003EC8EA4D4CC9

Switch#sh auth sess

Interface MAC Address Method Domain Status Fg Session ID
Gi0/10 949a.a927.9cb2 N/A UNKNOWN Unauth 0A909A4800003EC8EA4D4CC9

Here's what I have in ISE:

Can you tell me what I might be doing wrong?

hslai · ‎05-11-2019

As you have a working solution, I would suggest you not to continue with this other idea of using EAP MAB.

Otherwise, please involve TAC and AS to troubleshoot. It's hard for us to tell what the issue might be without looking at the full policy sets and the auth reports.