Solved: Ask the Expert : Identity Services Engine (ISE) - Guest and Posture Troubleshooting - Page 3

Vidhi Mujumdar · ‎08-11-2016

Cisco ISE manages role-based security policy. It simplifies network-access delivery across wired, wireless, and VPN connections. ISE then integrates, consolidates, and automates the sharing of user and device data with other Cisco security and technology partners. This dynamic network access control improves IT operations as well as stopping and containing threats. As the modern network expands, the complexity of marshaling resources, managing disparate security solutions, and controlling risk grows as well. The potential impact of failing to identify and remediate security threats becomes very large indeed. A different approach is required for both the management and the security of the evolving mobile enterprise. With superior user and device visibility, Cisco ISE delivers simplified mobility experiences to enterprises. It also shares vital contextual data with integrated technology partner solutions. The identification, containment, and remediation of threats are all accelerated through the integration, consolidation, and automation that Cisco ISE provides. This session provides an overview of: Guest and Posture Flow Troubleshooting We’re expecting a basic knowledge being the initial configuration for ISE redirect flows for Guest and Posture. If you want to review these setups, we recommend checking out these links. Centralized Web Authentication Flow | Posture configuration

Ask questions from Tuesday August 30 to September 9, 2016

Featured Experts

Sam Hertica has been a Customer Support Engineer in the Technical Assistance Center AAA team in RTP since 3.5 years. He initially started out of college as an Intern on the RTP-AAA team supporting the latest ACS 5.3 and 5.4. Since then, he’s grown to support full ISE deployments, as well as creating tools and resources for his team to troubleshoot complex deployments. Sam graduated from Rochester Institute of Technology with a BS in Applied Networking and Systems Administration in 2012.

Maciej Podolski is a member of Technical Assistance Center AAA team in Krakow Poland. He enables customer everyday by resolving complex ISE / dot1x / ACS issues. Maciej graduated from the Warsaw University of Technology with a BS in Electrical and Computer Systems engineering, with major in Telecommunications. He has been passionate about the cyber security since his university years, his final thesis was about steganography in cloud storage. He is also involved in developing tools for the AAA TAC engineers. His favorite hobby is skiing.

Find other https://supportforums.cisco.com/expert-corner/events.

** Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

https://supportforums.cisco.com/expert-corner/events ">https://supportforums.cisco.com/expert-corner/events.

We look forward to your participation. This event is open to all, including partners. Please Share this event in your social channels. Have a technical question? Get answers here before opening a TAC case by visiting the Cisco Support Community.

ajc · ‎09-09-2016

Hi Maciej,

Thanks for answering my questions. I am referring to AD accounts.

I already knew and tested that expired password change enabled on ISE only works on Windows based devices. However, I wanted to implement a mechanism for expired password change on endusers using Android or Apple based devices. Basically, using the hotspot portal + link added, they would get a warning and the link would allow them to open another browser into the password change page. After additional investigation on the RFC + Microsoft site, I defined an authz condition like the following that could probably work:

Microsoft:MS-CHAP-Error matches "E=648"

Unfortunately when I was doing tests, it failed and after additional reviews I found the following on ISE as root cause:

Note: For authentication using PEAP, LEAP, EAP-FAST, EAP-TLS or Radius MSCHAP it is not possible to continue processing when authentication fails or user is not found. If continue option is selected in these cases, requests will be rejected.

I am using PEAP in the network for AUTHC.

QUESTION:

Do you know why we CANNOT use CONTINUE for those AUTHC mechanisms so the AUTHZ Policy could be hit/matched so the redirect occurs?

michael.yurchenko · ‎09-08-2016

We're evaluating ISE to manage wireless guest network and BYOD.

We'd also like to control corporate domain users' access through the firewall (outbound, no vpn). Would ISE be useful for that, or is there a better solution? I don't necessarily cherish the idea of implementing dot1x across all switchports.

mpodolsk · ‎09-09-2016

Hi Michael.

there is couple of options:

if you do not want to implement dot1x at all, with ISE 2.1 there is a new feature called easy connect. it allows to integrate the AD and the ISE without dotx, you need MAB only. then you can push access lists based on user groups down to the switches/WLC

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200559-Configure-EasyConnect-on-ISE-2-1.html

For more granular filtering if you have asa with firepower module or firepower sensor you can integrate that directly with AD.

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

Or if you have pure asa you can check out the identity firewall feature:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/aaa-idfw.html#45801

I hope that helps out :)