Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
4
Replies

Cisco ISE 2.2

jm.virtual01
Level 1
Level 1

‎01-14-2019 06:48 AM - edited ‎03-11-2019 01:53 AM

if the authentication failed on cisco ise  2.2, then what happens with that end point. How it will go to the guest vlan.

Can i manage that? I have a two groups of the end points which are profiling correctly and wanted to assign a different guest access. Means, Group A can go on Internet through the Guest Access but the group B can not go anywhere through the Guest Access in the authentication failure scenario.

 

Does anyone has any suggestions on it?

 

0 Helpful
4 Replies 4

Aravind Ravichandran
Level 3
Level 3

‎01-14-2019 06:59 AM

Can you elaborate a little bit on that group part? Is this Ad group or endpoint group?

Let's says you have Group A(guest access) in which machine are added >authorization policy will be having internet vlan.

 Group B(intranet access) in which machine are added > authorization policy will be having intranet vlan. 

If group b fails dot1x, you can configure mab policy with limited access vlan in authorization profile. (in case of failure)

-Aravind

-Aravind
0 Helpful

jm.virtual01
Level 1
Level 1
In response to Aravind Ravichandran

‎01-14-2019 07:15 AM

Both the groups are endpoints group. Group A is a specific device group such as database machine, scale, quality machine etc and group b is a workstation group.

How can i restrict the access for the Group A in case of authentication failure?

 

The authorization profile is common of the all authentication failed endpoints? I want to restrict the specific group.

 

 

0 Helpful

Aravind Ravichandran
Level 3
Level 3
In response to jm.virtual01

‎01-14-2019 11:23 AM

What kind of failure you are expecting in case of mab?

If endpoint is not belong to both the endpoint group you can try web-auth in that case as a failure. 

-Aravind
0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to jm.virtual01

‎01-16-2019 12:31 PM

In order to fully understand I would need to see how your policy sets + conditions are built out.  

 

How can i restrict the access for the Group A in case of authentication failure?

You can create a DACL and assign it to a separate authorization profile so that when hosts fail then they get that specific authorization profile result and the DACL gets applied to their session.

 

Or if you are utilizing trustsec you can assign a separate SGT to the session that is restricted in your trustsec matrix. 

 

The authorization profile is common of the all authentication failed endpoints? I want to restrict the specific group.

Not exactly sure what you are asking here.  However, the authorization profile is basically the result/s applied to a session based upon matching conditions configured in your policy.

 

Hope this helps.  

0 Helpful
Customers Also Viewed These Support Documents