cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1027
Views
0
Helpful
11
Replies
Beginner

User/Machine authentication on Cisco ISE.

Hi!

I am using EAP-TLS auth policy and using machine and user authorization policies. The machine authorization works fine but user authorization does not work as describe below.

 

I have user and machines in the same security group. I have different vlan and assigning vlan as per security group memeberhship. Like HR users and computers are part of HR security group.
My machine auth is working fine but when users login then its not switching to User auth policy as the reason is that both are part of same security group. How can I make this working so that it should switch to user auth policy as I need it for Admin users so that when they login they will get Vlan that is for Administrators.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: User/Machine authentication on Cisco ISE.

I beleive its not possible to use the common name but its possible to use policy with other attributes like certifcate issuer name contains xyz. 

11 REPLIES 11
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: User/Machine authentication on Cisco ISE.

You should create an additional authorization rule positioned above the existing rule, matching the admin users group. Assign your permissions (vlan) as you require. When an admin user now connects they should match this rule and not your existing rule. Computers and non-admin users would still match the existing rule

 

HTH

Beginner

Re: User/Machine authentication on Cisco ISE.

Thanks.

 

What if management vlan user connects to computer authorized in HR vlan?

I want to have a rule that performs dynamic reauthorization.

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: User/Machine authentication on Cisco ISE.

I don't have access to ISE to hand, to confirm...but I imagine you could select VLAN ID as a condition for your authorization rule. Eg. "Admin Group" AND "HR vlan id".

 

Beginner

Re: User/Machine authentication on Cisco ISE.

The vlan assignment is not the issue. My issue is that my machine authentication works but my user authentication doesnt work because both are in same security group. I need some radius value for authorization that differentiates that user is loggin on now machine authorization policy should be switched to User authorization policy.

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: User/Machine authentication on Cisco ISE.

You need something for ISE to be able to distinguish the difference between a user and a computer, if they are in the same group that isn't going to work.

 

The obvious thing to do would be to create another group and add either the users or computer. Or you could just rely on the default AD groups, for example all domain join computers are members of "Domain Computers". Therefore create an AuthZ rule If "Domain Computers" AND "whatever group you've created", then the other AuthZ rule should only match for users.

Beginner

Re: User/Machine authentication on Cisco ISE.

Yes that approach is in my mind but looking for something like mentioned below.

https://supportforums.cisco.com/t5/aaa-identity-and-nac/eap-tls-machine-authorization-using-acs-5-2/td-p/1643202

"2.] System Username starts from : host/"

Is it possible to have some entry in authorization to check host/ and also something for user like its domain?
Beginner

Re: User/Machine authentication on Cisco ISE.

One more thought came to my mind and I guess it should work.

I have a computer policy that is authorizing HR users to vlan 100 based on security group of HR from AD and only HR users and computers are part of that.

Now I have another authorizing policy for Admin and Admins users and their computer is part of that.

 

When HR computer boots up it gets Vlan IP from HR Vlan but when Admin login to it then it should change the vlan and get the IP address from Admin vlan. 

 

I am trying this scanrio but its not working. I am using EAP-TLS for Authentication

 

Highlighted
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: User/Machine authentication on Cisco ISE.

Yes, you can use the host/ AND group name for the computer AuthZ rule. You shouldn't need to do anything special for the users AuthZ rule if the computer rule is placed above the user AuthZ rule.

Beginner

Re: User/Machine authentication on Cisco ISE.

One of thing I found out is that my username and certifcate used to username is different. The username is generic number like 24456 and certicate is issued to first name and last name so I can see the error

Identity resolution failed - ERROR_NO_SUCH_USER error as ISE is checking my first name and last name which is not in AD rather is 24456.

Beginner

Re: User/Machine authentication on Cisco ISE.

My UPN name is different than sAMaccountname.

Beginner

Re: User/Machine authentication on Cisco ISE.

I beleive its not possible to use the common name but its possible to use policy with other attributes like certifcate issuer name contains xyz.