This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Thanks for the reply.
I had another specific question regarding the External RESTful Services API. Is there any way to directly obtain session details via an IP address? I know that the documentation allows for NAS IP Address searching, but I want to search for an active session where the user has a particular IP address (not the NAS IP). Is there any way to do this?
Also, going back to the scenario where Super Admin rights are required to access the API - is there any way to secure the credentials of the Super Admin account in the HTTPS requests? It can be a big issue if these credentials are compromised because it gives total access. This would not be too big of an issue if the bug you mentioned was not present.
I'm afraid, it's not possible to check/search the session based on IP address.
Usually end station/device identifies based on Mac address or/and ID number.
Please check more using ERS page stored on ISE, this will give you an idea which filters are supported and what kind of API call you need to make.
Link to ERS page:
https://<ISE IP address>:9060/ers/sdk
*Make sure you have enabled it first following: Administration --> System --Settings -->ERS settings
Regarding your second question.
Basic authentication adds a header to each request which contains a Base64 encoded username/password pair. However, it's "simple" cipher and might be decoded in a simple way. But this will be only an issue when you do the API call using "HTTP", if you use "HTTPS" it will be secure by SSL. So, use only "HTTPS" with your API Calls.
Is there any specific support or way to handle imaging/installation of pc's from Microsoft SCCM initiated with PXE boot ?
A way to allow the client to temporary get access to the required network resources during the installation, since the pc is not able to authenticate itself before it's fully installed.
Thank you for that questions. When PXE device is booting we could use MAB authentication and limit its access using dACL: to allow DHCP and access to MS server.
Once device will be fully installed, dot1x can take precedence (authentication priority dot1x mab) and machine will be securely authenticated with dot1x.
That is explained with the example in the guide below (Low-Impact Mode section):
The current SCCM setup requires access to a lot of different resources during the install, which makes it almost impossible to get a full dACL configured to allow access,
So I was looking for if SCCM & ISE could exchange information, like when a PC is about to be installed the MAC address could be exchanged from SCCM to ISE allowing it full access to the network for a very limited amount of time, could something like this be possible ?
Well, I am afraid that will be not possible in the way that was described. ISE needs to know exactly what access should be allowed for the PXE process in order to send that to switch (VLAN or dACL). Another way could be to create some endpoint group for devices which will be allowed to access full resources. However that will require to manually add endpoint to that group and then either remove it or set some purge policy (like after one day endpoint will be removed from the PXE group and no longer will have full access).
Hope that clarifies your question.
It's possible to create an ADAM/LDS instance in your AD, where you can store mac addresses for PXE use, and then have ISE look for mab there, your sccm server can execute a powershelle script when you choose a machine to PXE in the sccm management system, this script should then create the mac of the machine (which should be in the sccm inventory already), next time the machine reboots to load WinPE via PXE, it will fail dot1x, but then it's mac is in the LDS tree, and ISE can mab authenticate it. You of course also need a script that runs when the machine has been completely imaged, that removes the mac addres from the LDS tree again.
I wonder if you could share your experiences working with OSX and ISE and what is the best method for getting a working Posture/Dot1x setup in place when the workstation is joined to an active directory domain? I have had many issues with creating profiles for OSX etc and although I'm sure you may not want to go into the specifics of OSX profiles if you could give a general overview of the approach that has worked best in your experiences it would help me greatly!
Thanks in advance,
Thank you for your question.
We have few guide, following which you can set all for posture, sharing some of them with you:
Needless to say to check "Posture Assessment Options" for Macintosh before the integration, to be sure that your posture scenario is supported.
From "real life", posture integration and posture issues are really depends on specific project needs and I'm not sure there is a best practice, that we can share.
Recently we've upgraded from ISE 1.1 to 1.3 and although we gained lots of useful features we have lost a very important one:
With v1.1 if we created a guest user with the sponsor portal and set up the account validity for 24 hours the clock started ticking whenever the user first logged into the network. With 1.3 this is not possible.
Does 1.4 or 2.0 support this feature or is there any patch that can be applied to the current version (1.3) to get this feature back?
Thank you for that question. More and more customers are reporting willingness to have that feature back (FromFirstLogin), so for sure that is hot topic.
There is already enhancement request opened for that, you could subscribe and you will be notified if something will change in that matter:
I can see that there are plans to get that feature back to ISE next year.
My question is regardless to integration between ISE and ASA VPN. Cisco ASA from version 9.2 is able to send to ISE some of the endpoint’s attributes via RADIUS protocol. (mdm-tlv=device-platform, mdm-tlv=device-type=, mdm-tlv=device-mac=, mdm-tlv=device-platform-version=, mdm-tlv=device-uid=), Based on those attributes we are able to create the authorization Policy in Cisco ISE like if mdm-tlv=device platform EQUAL windows THAN xxxx. Yes, this could be nice, but it is not in the corporate environment.
Usually our customers wants to have possibility to establish VPN connection only with corporate devices. For that purpose we can use the attribute mdm-tlv=device-mac. If we have a database of MAC addresses (wired, wifi ) of corporate devices in some specific ISE group like “group name “VPN-ALLOW”, we are able to match the condition like “IF network-device-group EQUAL to VPN-ALLOW THAN xxx “
Yes, this is “more secure“, and we suppose that Cisco ISE works it this specific scenario like this:
Use the attribute mdm-tlv=device-mac and compare it with internal DB of MAC addresses. If match then assign this MAC address to founded internal Endpoint Group
But still the most secure scenario should be using the attribute mdm-tlv=device-uid – Unique identification of every endpoint device. We thought to fill this attribute into Active Directory to every user (bind the domain user with his asset) and then ask in ISE – IF user attribute from AD equal to mdm-tlv=device-uid – THAN connect.
Unfortunately, this is not possible in ISE.
We can just create condition like IF uid STARTS with abc... THAN connect – this is not scalable solution at all (text comparison from ASA attribute against predefined constants)
Will be there any improvement with integration of ASA vs ISE and checking the ASA attributes from ASA? Still this solution is possible to implement on ASA via hostscan, DAP and LUA…
Or is there any way, how to use this scenario in corporate environment?
Thank you for this question.
In your scenario, in addition to HostScan/DAP/LUA or checking mac addresses in a way you described, you might consider Posture with Registry check action. On ISE side you can create specific registry condition, where you will be checking your domain name.
Unfortunately, the functionally that you are asking for is not available on ISE and I doubt to see it in the Road Map for ISE.
Thank you for your answer. If we summarize it - ASA with HostScan and LUA are "good tools" for checking of the endpoint. ASA attribute (send via RADIUS to ISE) except the attribute mdm-tlv=device-mac= are useless. Yes, possible solution is the posture module of AnyConnect, but it is not scalable for external organizations which usually connecting via VPN into the customer network.