Solved: FMC learning MAB authentication via pxGrid ISE?

cpaquet · ‎10-03-2019

FMC is integrated with ISE. In FMC Access Control Policies, we can now see, under the tab SGT/ISE Attributes, Device Type, IP Location, SGT. We are using the Device types to block some devices like printers from reaching to the Internet.

However, is there a way to learn from ISE, the devices that have been successfully MABbed? Long story but: the customer setup is that they do MAB on all devices (printers, computers, etc. They don't do 1X or CWA). But on the switch port, they don't apply an Access-List pre-AuthC in. So, basically, traffic is allowed on the switch port. However, from the Edge Firewall, we would like to say that only devices that have successfully passed the MAB authentication are allowed to go out.

Thanks.

Mike.Cifelli · ‎10-04-2019

AFAIK this is not a capability supported in FMC. IMO you have several ways to skin the cat here to meet the requirement. Even if you could create access control entries based on the mac I feel like that would be rather tedious and a lot of admin overhead. If you are utilizing trustsec and push information via pxgrid to fmc why not just create the rules to block based on your printer SGT for example? You also have the old fashioned way of blocking by IPs. Looking at it from the switch side now, are you not doing closed authentication? Why couldn't you auth the endpoints via mab and have ISE push down a dacl or if properly using trustsec setup your matrix so that the nodes you dont want to reach the internet only have north/south or east/west traffic as you wish?

View solution in original post

Mike.Cifelli · ‎10-04-2019

AFAIK this is not a capability supported in FMC. IMO you have several ways to skin the cat here to meet the requirement. Even if you could create access control entries based on the mac I feel like that would be rather tedious and a lot of admin overhead. If you are utilizing trustsec and push information via pxgrid to fmc why not just create the rules to block based on your printer SGT for example? You also have the old fashioned way of blocking by IPs. Looking at it from the switch side now, are you not doing closed authentication? Why couldn't you auth the endpoints via mab and have ISE push down a dacl or if properly using trustsec setup your matrix so that the nodes you dont want to reach the internet only have north/south or east/west traffic as you wish?

cpaquet · ‎10-07-2019

Thank Mike for your answer.

1. The customer is not doing TrustSec (my bad for misleading you when I mentioned that under the FMC, thanks to pxGrid, we were seeing attributes from ISE. The only attribute that populates through pxGrid is Device Type, since TrustSec hasn't been turned on).

2. Blocking at the firewall would not be the solution to stop non-authenticated endpoint from leaving the Network. We need to have a way to find out : is endpoint authenticated? [another frustrating point at that customer is that the entire network endpoints (IP Phones, printers, workstations) are all on the same 10.0.0.0/16 network (don't ask me why!!!)].

Remember the requirement of my original question:

A. Endpoints are all MAB, (not 1x)

B. The customer is not using pre-AuthC ACLs on switchport!!! So, the moment the command authentication open is added, the traffic starts going through the port. That traffic could find its way to the edge firewall and leave for the internet. Thus, it would be nice if NGFW could query ISE with "is device authenticated".

My personal opinion is that the customer needs to implement more features of 1X/MAB to fix this issue. The piece meal approach is not working here.

Thanks anyway. Consider this case close.

kylerossd · ‎09-30-2022

Where you able to find a solution by chance? I fail to see how FMC would not be able to see the session as the username of the session is the MAC address of the host.