Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1965
Views
0
Helpful
3
Replies

Cisco ISE 2.2 profiling and Endpoint database

akbarayub2013
Level 1
Level 1

‎04-18-2017 03:44 PM - edited ‎03-11-2019 12:38 AM

Scenario 1. Switch port configured for MAB and dot1x. Cisco ISE 2.2 configured for network authentication.

Dell laptop is then connected to switch port. ISE dynamically profile the laptop as Dell. Adds the MAC address to the internal endpoint database. 

Authentication passes. Default authorisation permit access. 

Question. Why is ISE adding the MAC address to the internal endpoint database​. Surely this is a security risk. If ISE is dynamically profiling then adding to the internal endpoint database. An attacker can connect his laptop to a switch and be authenticated. How do you stop this without creating and authorisation profile to restrict access. Surely you should be able to configure ISE so authentication fails. 

Scenario 2. Following the Central web authentication work flow. I can not get authentication to fail because every device i connect to the port is dynamically profiled and added to the internal endpoint database. Then authentication passes. 

Question 2. The default behaviour of ISE which is to profile and add device in to endpoint database and then pass authentication for device will mean you can never pass phase 1 of the CWA work flow. How do you get around this?

5 people had this problem
Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎04-19-2017 05:01 AM

In most cases, Internal Endpoints is only used for authentication. Authorization is used in conjunction with a specific Profiled group (say Dell, Cisco IP phone) to allow access.

For CWA, you would need to authenticate known mac addresses and allow unknown mac address to authenticate. Authorization is where you would use a policy to catch any unknown mac address into the CWA redirect.

0 Helpful

akbarayub2013
Level 1
Level 1
In response to Rahul Govindan

‎04-19-2017 07:32 AM

Thanks Rahul,

To Clarify further my understanding

MAB authentication is for devices on the network, IP Camera, Card readers etc..

So this matches one of my use cases. Excellent.

From your explanation I understand that authentication and authorisation will have to work hand in hand for the requirement. 

CWA

For CWA to work you have to fail MAB authentication. (As the device is a guest/unknown on your network).

So the MAB rule/condition is "if authentication = failed" & "If user not found = continue" in the internal endpoints database. 

At this point the authorisation rule configured will send down the redirect URL. 

The problem I'm hitting is the default behaviour of ISE is to profile and add the device into the Endpoint database. So Phase 1 of CWA with the above condition will not pass because ISE has profiled and added the guest device into the internal endpoint database. 

I'm guess the MAB rule may have to change to something like  >

 "if authentication = failed" & "If user not found = continue" in the internal endpoints database.  profile group (i.e hp printers)

thanks

0 Helpful

Garry Cross
Level 1
Level 1
In response to Rahul Govindan

‎07-24-2018 02:22 PM

So is my thinking correct that if there is multiple authentication conditions then the authorization condition that has the profile "PermitAccess" should also have more than just the condition "Network_Access_Authentication_Passed" which is what the default policy is doing. It should be "Wired_802.1x and Network_Access_Authentication_Passed" so that a wired MAB that passes auth but is not yet part of a specific endpoint group such as an IP Phone group or Printer group will be denyied access.

 

0 Helpful
Customers Also Viewed These Support Documents