12-12-2017 12:34 PM - edited 02-21-2020 10:41 AM
Hello,
Sorry that this has been asked a dozen times or more, but I can not find anything current that directly answers the question.
I am trying to authenticate users based on both AD user group and machine name or group using ISE 2.3. Machines are Windows 7, Windows 10 and MAC OS. At current, I am authenticating users based on their AD group, but this does nothing to prevent a user bringing in their own laptop and connecting to the internal network with their AD credentials.
I have found some solutions using MAR or the AnyConnect client, but neither of these are viable solutions, and those articles are from 2010-2013. I am hoping a solution has been developed over the past 5 years.
I have one line in my RADIUS logs, AD-Host-Resolved-Identities, that shows the computer name, but I can not find a rule in the policy set attributes for it.
Any help would be much appreciated.
Solved! Go to Solution.
12-12-2017 07:49 PM
12-13-2017 06:57 AM
You could try to profile your corporate assets, one example I have seen is to set a custom DHCP class identifier on your corporate laptops, then you can build a profiling policy which looks for that custom classID in the request and only authenticates the user if that custom classID is found.
You could also perform posture checks, looking for something specific form your corporate OS build (registry key, file, etc.)
Another option would be to issue certificates to both users and computers and mark the certificates as not exportable. Then you would be quite certain that if the certificate is presented to ISE, it is coming from a corporate asset/user. But if you currently don't have PKI infrastructure set up in your organization, that would be a lot of work then.
I realize that none of these options are straightforward...just possible suggestions I was thinking about.
12-12-2017 07:49 PM
12-13-2017 06:57 AM
You could try to profile your corporate assets, one example I have seen is to set a custom DHCP class identifier on your corporate laptops, then you can build a profiling policy which looks for that custom classID in the request and only authenticates the user if that custom classID is found.
You could also perform posture checks, looking for something specific form your corporate OS build (registry key, file, etc.)
Another option would be to issue certificates to both users and computers and mark the certificates as not exportable. Then you would be quite certain that if the certificate is presented to ISE, it is coming from a corporate asset/user. But if you currently don't have PKI infrastructure set up in your organization, that would be a lot of work then.
I realize that none of these options are straightforward...just possible suggestions I was thinking about.
12-13-2017 10:52 AM
Thanks for the detailed response. I have been trying to do the machine cert + user auth method, but I must admit that my overall understanding of the cert process is a bit lacking. I have added our interal CA as a trusted source, but I am not entirely sure what cert the user machine passes to ISE or how to dictate that process. I have tri d exporting certs from ise, putting them on the machine and then setting the wireless profile to use it as the validation cert for the connection, but that has not worked.
12-15-2017 02:43 AM
This would generally be the sequence:
1. Upload your CA cert under the Trusted certificates in ISE and make sure you mark it as "Trust for client authentication and Syslog".
2. In ISE go to "Certificate Signing Requests" and generate a new CSR, select "EAP Authentication" as the intended purpose
3. Go to your CA and issue a new certificate for your ISE with the "Server authentication" purpose based on the CSR you generated
4. Go back to "Certificate Signing Requests" section in ISE and bind the CSR
5. Import CA cert into the client
6. Issue certificates to your clients, make sure the template has "Client authentication" as the purpose.
This is a very high level description, but that is generally the idea - client must present a certificate issued from CA that ISE trusts and ISE must present a certificate that client trusts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide