Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
0
Helpful
1
Replies

ISE 2.3 Passive ID - username gets mapped to multiple IP addresses

Go to solution
imihajlo
Cisco Employee
Cisco Employee

‎09-28-2018 02:42 AM - edited ‎03-11-2019 01:50 AM

Hello All,

We have a setup in the lab where we are using passive ID with ISE and as a result the username gets mapped to multiple IP addresses.

Please see the attached document for the topology.

Lab components:

ASAv

Virtual ISE 2.3

AD – Server 2016

Workstation – Windows 10

Mail server using kerberos to AD for user.

 

Lab setup:

ASAv basic config with SXP to ISE.

ISE connected to AD and using Passive ID without agent.

AD basic config with.

Mail server using Kerberos.

 

I did only a couple of tests before dismantling the lab but this was the scenario as I experienced it.

Scenario:

  1. User1 logs in to PC, ISE gets info via Passive ID and maps ip 1.1.1.1 to User1 and sends it via SXP to ASA.
  2. User1 logs in to Webmail, ISE gets info via Passive ID and maps ip 1.1.1.3 to User1 and sends it via SXP to ASA.

 

 

Is this a known phenomenon?

 

Regards,

Ivana

Preview file
60 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ben Walters
Level 3
Level 3

‎09-28-2018 06:33 AM

We use CDA right now instead of Passive ID and it is a known behavior to map a user to different IPs depending on how they access various resources. I am guessing Passive ID works in a similar way. 

 

It looks at the authentications from AD and maps users to the IP that the authentication came from, this is more prominent with our admin staff that RDP to different servers they could have several IPs associated with their user account. Basically any service that authenticates to AD could provide IP mappings to Passive ID for any user. It will hold on to the IP mapping until there is a logout from AD or the timeout expires.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Ben Walters
Level 3
Level 3

‎09-28-2018 06:33 AM

We use CDA right now instead of Passive ID and it is a known behavior to map a user to different IPs depending on how they access various resources. I am guessing Passive ID works in a similar way. 

 

It looks at the authentications from AD and maps users to the IP that the authentication came from, this is more prominent with our admin staff that RDP to different servers they could have several IPs associated with their user account. Basically any service that authenticates to AD could provide IP mappings to Passive ID for any user. It will hold on to the IP mapping until there is a logout from AD or the timeout expires.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents