cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3059
Views
0
Helpful
11
Replies

User/Machine authentication on Cisco ISE.

Capricorn
Level 1
Level 1

Hi!

I am using EAP-TLS auth policy and using machine and user authorization policies. The machine authorization works fine but user authorization does not work as describe below.

 

I have user and machines in the same security group. I have different vlan and assigning vlan as per security group memeberhship. Like HR users and computers are part of HR security group.
My machine auth is working fine but when users login then its not switching to User auth policy as the reason is that both are part of same security group. How can I make this working so that it should switch to user auth policy as I need it for Admin users so that when they login they will get Vlan that is for Administrators.

Thanks

1 Accepted Solution

Accepted Solutions

I beleive its not possible to use the common name but its possible to use policy with other attributes like certifcate issuer name contains xyz. 

View solution in original post

11 Replies 11

You should create an additional authorization rule positioned above the existing rule, matching the admin users group. Assign your permissions (vlan) as you require. When an admin user now connects they should match this rule and not your existing rule. Computers and non-admin users would still match the existing rule

 

HTH

Thanks.

 

What if management vlan user connects to computer authorized in HR vlan?

I want to have a rule that performs dynamic reauthorization.

I don't have access to ISE to hand, to confirm...but I imagine you could select VLAN ID as a condition for your authorization rule. Eg. "Admin Group" AND "HR vlan id".

 

The vlan assignment is not the issue. My issue is that my machine authentication works but my user authentication doesnt work because both are in same security group. I need some radius value for authorization that differentiates that user is loggin on now machine authorization policy should be switched to User authorization policy.

You need something for ISE to be able to distinguish the difference between a user and a computer, if they are in the same group that isn't going to work.

 

The obvious thing to do would be to create another group and add either the users or computer. Or you could just rely on the default AD groups, for example all domain join computers are members of "Domain Computers". Therefore create an AuthZ rule If "Domain Computers" AND "whatever group you've created", then the other AuthZ rule should only match for users.

Yes that approach is in my mind but looking for something like mentioned below.

https://supportforums.cisco.com/t5/aaa-identity-and-nac/eap-tls-machine-authorization-using-acs-5-2/td-p/1643202

"2.] System Username starts from : host/"

Is it possible to have some entry in authorization to check host/ and also something for user like its domain?

One more thought came to my mind and I guess it should work.

I have a computer policy that is authorizing HR users to vlan 100 based on security group of HR from AD and only HR users and computers are part of that.

Now I have another authorizing policy for Admin and Admins users and their computer is part of that.

 

When HR computer boots up it gets Vlan IP from HR Vlan but when Admin login to it then it should change the vlan and get the IP address from Admin vlan. 

 

I am trying this scanrio but its not working. I am using EAP-TLS for Authentication

 

Yes, you can use the host/ AND group name for the computer AuthZ rule. You shouldn't need to do anything special for the users AuthZ rule if the computer rule is placed above the user AuthZ rule.

One of thing I found out is that my username and certifcate used to username is different. The username is generic number like 24456 and certicate is issued to first name and last name so I can see the error

Identity resolution failed - ERROR_NO_SUCH_USER error as ISE is checking my first name and last name which is not in AD rather is 24456.

My UPN name is different than sAMaccountname.

I beleive its not possible to use the common name but its possible to use policy with other attributes like certifcate issuer name contains xyz. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: