Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
0
Helpful
4
Replies

Cisco ISE: Making selected devices bypass a rule

DAVID NOONAN
Level 1
Level 1

‎01-06-2016 01:43 PM - edited ‎03-10-2019 11:22 PM

Users connect to wifi and and auth'd against LDAP and assigned a VLAN based on LDAP info UNLESS they are on a mobile device. In that case they're assigned to a "mobile" VLAN for all the personal phones, tablets, etc.

This is working great except that of course we have a few devices that are used for internal testing and what not and those need to go to the user's normal VLAN, not the mobile one.

So the authz policies are roughly:

1. if (Endpoint:LogicalProfile = Mobile-Device) then { vlan = mobile }

2. if (user-ldap-group_X) then { vlan = X }

3. if (user-ldap-group_Y) then { vlan = Y }

4. if (user-ldap-group_Z) then { vlan = Z }

I know the MAC of the internal devices and the easiest solution would be to put those end points in an Identity Group and then have rule 1 test that the device is NOT in that Identity Group.  Sadly, you don't see to be able to test against the Identity Group that way.

So, what's the easiest way to do this?

Labels:
0 Helpful
4 Replies 4

DAVID NOONAN
Level 1
Level 1

‎01-07-2016 04:53 AM

Solved my own problem again.

Looking at an endpoint debug shows the IdentityGroup is empty so that explains why I can't match it.

Looking for other options I found I could build the following condition:

Radius:Calling-Station-ID NOT Equals BYPASSMAC1

Radius:Calling-Station-ID NOT Equals BYPASSMAC2

etc

I can now tack this onto my Rule 1 and it seems to be working.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to DAVID NOONAN

‎01-07-2016 07:42 AM

Glad to see you figured it out, the reason you can't use the identity group, is that you are using PEAP, and ISE is looking in your AD for the users, and getting it's "user" information from there, not from the ISE internal endpoints database. I would suggest that you instead create a test user in your LDAP, that is a member of a new "test" AD group, then you can use any device to test, as long as you use the user that is member of that test group login login with, no need to enter mac addresses and create new rules everytime you get a new device that needs to be used for testing. If you need multiple users, just add a new user to that group. Then just create one new authz rule that matches that external identity group.

0 Helpful

DAVID NOONAN
Level 1
Level 1
In response to jan.nielsen

‎01-07-2016 07:55 AM

We're using LDAP but not AD. 

My rule 1 matches on the device being in the Mobile-Device LogicalProfile. I suppose I could override that with a particular LDAP group but our LDAP implementation isn't exactly easy to work with and I'm not the admin so I'd rather my solution be in ISE.  

I'm not a huge fan of what I came up with, using the endpoint's group would be cleaner, but it work for now. 

0 Helpful

jan.nielsen
Level 7
Level 7
In response to DAVID NOONAN

‎01-07-2016 12:33 PM

No problem, just thought i would give you another option.

0 Helpful
Customers Also Viewed These Support Documents