cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE Authentication and Authorization Policy Reference

2948
Views
5
Helpful
0
Comments

 

Contents

 

image.png Have a comment or question about this document? Please start a new discussion in the ISE Community and link to this document or specific section where you have a comment or question!

 

ISE Default Policy Set

Navigate to Policy > Policy Sets in ISE 2.4 and later to see the default Policy Set :

Screenshot_2019-05-05 Identity Services Engine(3).png

 

Policy Sets ➡ Default

 

Click on ⊕ or ➕ to create a new policy set.

Status Policy Set Name Description Conditions Allowed Protocols / Server Sequence Hits Action View
               
  Default Default Policy Set   Default Network Access 0

 

Click on ❱ to View the details of a policy set:

❱ Authentication Policy
❱ Authorization Policy - Local Exceptions
❱ Authorization Policy - Global Exceptions
❱ Authorization Policy

 

Authentication Policy

In ISE 2.x, there are 3 default authentication policies:

  • MAB
  • Dot1X
  • Default
Status Rule Name Conditions Use Hits Actions
MAB
OR Wired_MAB
Wireless_MAB
Internal Endpoint
Options
If Auth fail: REJECT
If User not found: CONTINUE
If Process fail: DROP
0
Dot1X
OR Wired_802.1X
Wireless_802.1X
All_User_ID_Stores
Options
If Auth fail: REJECT
If User not found: REJECT
If Process fail: DROP
0
Default   All_User_ID_Stores
Options
If Auth fail: REJECT
If User not found: REJECT
If Process fail: DROP
0

Each authentication policy has Options for what to do inerroneous conditions

  • Reject: Send ‘Access-Reject’ back to the NAD
  • Continue: Continue to authorization regardless of authentication outcome
  • Drop: Drop the request and do not respond to the NAD – NAD will treat as if RADIUS server is dead

 

Authorization Policy - Local Exceptions

There are no Local Exceptions by default. Click on ⊕ or ➕ to create a new exception.

Status Rule Name Conditions Profiles Security Groups Hits Actions
             

 

Authorization Policy - Global Exceptions

There are no Local Exceptions by default. Click on ⊕ or ➕ to create a new exception.

Status Rule Name Conditions Profiles Security Groups Hits Actions
             

 

Authorization Policy

There are 12 authorization policies provided by default:

Status Rule Name Conditions Profiles Security Groups Hits Actions
Wireless Black List Default
AND Wireless_Access
IdentityGroup-Name EQUALS Endpoint Identity Groups:Blacklist
Blackhole_Wireless_Access Select from list 0
Profiled Cisco IP Phones IdentityGroup-Name EQUALS Endpoint Identity Groups:Profiled:Cisco-IP-Phone Cisco_IP_Phones Select from list 0
Profiled Non Cisco IP Phones Non_Cisco_Profiled_Phones Non_Cisco_IP_Phones Select from list 0
Unknown_Compliance_Redirect
AND Network_Access_Authentication_Passed
Compliance_Unknown_Devices
Cisco_Temporal_Onboard Select from list 0
NonCompliant_Devices_Redirect
AND Network_Access_Authentication_Passed
Non_Compliant_Devices
Cisco_Temporal_Onboard Select from list 0
Compliant_Devices_Access
AND Network_Access_Authentication_Passed
Compliant_Devices
PermitAccess Select from list 0
Employee_EAP-TLS
AND Wireless_802.1X
BYOD_is_Registered
EAP-TLS
MAC_in_SAN
PermitAccess Select from list 0
Employee_Onboarding
AND Wireless_802.1X
EAP-MSCHAPv2
NSP_Onboard Select from list 0
Wi-Fi_Guest_Access
AND Guest_Flow
Wireless_MAB
PermitAccess Select from list 0
Wi-Fi_Redirect_to_Guest_Login Wireless_MAB Cisco_WebAuth Select from list 0
Basic_Authenticated_Access Network_Access_Authentication_Passed PermitAccess Select from list 0
Default   DenyAccess Select from list 0  

 

Secure Default Authorization Policy

In order to provide a secure default for wireless endpoints and closed-mode deployments, the default ISE Policy Set's Default authorization policy is configured to deny access with the DenyAccess authorization profile.

Status Rule Name Conditions Profiles Security Groups Hits Actions
Default   DenyAccess Select from list 0  

If instead your goal is to get Visibility on your wired network, you will want to change the Default to PermitAccess so all endpoints will continue to get open access and you may collect profiling information until you are ready to begin enforcement.

 

Default Authorization Policy for Monitor Mode

If you first deploy ISE to get visibility on your wired network with a "monitor mode" switchport configuration, you should change the default Authorization Profile to be PermitAccess . This will ensure that every user and device gets full network access until you are ready to start doing enforcement.

Status Rule Name Conditions Profiles Security Groups Hits Actions
Default   PermitAccess Select from list 0  

 

Default Conditions

Named Condition Conditions Description
BYOD_is_Registered Endpoints:BYODRegistration EQUALS Yes Default condition for BYOD flow for any device that has passed the network supplicant provisioning (NSP) process
Catalyst_Switch_Local_Web_Authentication Radius:Service-Type EQUALS Outbound
Radius:NAS-Port-Type EQUALS Ethernet
Default condition used to match authentication requests for Local Web Authentication from Cisco Catalyst switches
Compliance_Unknown_Devices Session:PostureStatus EQUALS Unknown Default condition for unknown posture compliance devices
Compliant_Devices Session:PostureStatus EQUALS Compliant Default condition for posture compliant devices
EAP-MSCHAPv2 Network Access·EapAuthentication EQUALS EAP-MSCHAPv2 Default condition for BYOD onboarding flow
EAP-TLS Network Access·EapAuthentication EQUALS EAP-TLS Default condition for BYOD flow for any device that has passed the network supplicant provisioning (NSP) process
Guest_Flow Network Access:Use Case EQUALS Guest Flow Default condition for guest flow
MAC_in_SAN Certificate:Subject Alternative Name EQUALS Radius:Calling-Station-ID Default condition for BYOD flow for any device that has passed the network supplicant provisioning (NSP) process
Network_Access_Authentication_Passed Network Access:AuthenticationStatus EQUALS AuthenticationPassed Default condition used for basic network access requiring that the authentication was successful
Non_Cisco_Profiled_Phones Endpoints:LogicalProfile EQUALS IP-Phones Default condition used to match IP Phones
Non_Compliant_Devices Session:PostureStatus EQUALS Non-Compliant  
Switch_Local_Web_Authentication Radius:Service-Type EQUALS Outbound
Radius:NAS-Port-Type EQUALS Ethernet
Default condition used to match authentication requests for Local Web Authentication from Cisco Catalyst switches
Switch_Web_Authentication Normalized Radius:RadiusFlowType EQUALS WiredWebAuth A condition to match requests for web authentication from switches according to the corresponding Web Authentication attributes defined in the network device profile
Wired_802.1X Normalized Radius:RadiusFlowType EQUALS Wired8021_X A condition to match requests for 802.1X authentication from switches according to the corresponding 802.1X attributes defined in the network device profile
Wired_MAB Normalized Radius:RadiusFlowType EQUALS WiredMAB A condition to match the MAC Authentication Bypass request from switches according to the corresponding MAB attributes defined in the network device profile
Wireless_802.1X Normalized Radius:RadiusFlowType EQUALS Wireless8021_X A condition to match requests for 802.1X authentication from wireless LAN controllers according to the corresponding 802.1X attributes defined in the network device profile
Wireless_Access Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11 Default condition used to match any  authentication request from a Cisco Wireless LAN Controller
Wireless_MAB Normalized Radius:RadiusFlowType EQUALS WirelessMAB A condition to match the MAC Authentication Bypass request from wireless LAN controllers according to the corresponding MAB attributes defined in the network device profile
WLC_Web_Authentication Normalized Radius:RadiusFlowType EQUALS WirelessWebAuth A condition to match requests for web authentication from wireless LAN controllers according to the corresponding Web Authentication attributes defined in the network device profile

 

Authentications

Virtual Private Network (VPN)

You may use Radius:NAS-Port-Type = Virtual to filter on all VPN policies.

Status Rule Name Conditions Use Hits Actions
VPN Radius:NAS-Port-Type EQUALS Virtual All_User_ID_Stores
> Options
0

 

Exceptions

Any of the following exceptions may be applied to Global Exceptions for all policy sets or to Local Exceptions for individual policy sets.

image.png Warning! Remember that any and all Exceptions will be processed before any policy set authorization rules!
    Global Exceptions ≫ Policy Set Local Exceptions ≫ Policy Set Authorizations
The creation of Global Exceptions and the attributes you use in their conditions should be evaluated carefully to prevent a degradation of your authorization speed and the general performance of ISE!

Blacklist

Users or devices may be moved into the Blacklist Endpoint Identity Group in order to temporarily prevent access. This is typically done for :

  • lost BYOD devices
  • any user or device that you want to block for any reason
Status Rule Name Conditions Profiles Security Groups Hits Actions
BlackList IdentityGroup:Name STARTS_WITH Endpoint Identity Groups:Blacklist DenyAccess Quarantine 0

 

Quarantine

Similar to blacklist, you may want to Quarantine a user or device based on a security integration that uses the ISE EPS or ANC APIs

Status Rule Name Conditions Profiles Security Groups Hits Actions
Quarantine Session:EPSStatus EQUALS Quarantine DenyAccess Quarantine 0

 

Certificate Renewal

If ISE detects that a certificate has expired or will expire soon, it's a good to be proactive and redirect them to get a new certificate.

Status Rule Name Conditions Profiles Security Groups Hits Actions
Certificate_Renewal
OR Certificate:isExpired EQUALS True
Certificate:Days to Expiry LESS_OR_EQUALS 30
Certificate_Expiry_Redirect Select from list 0

 

If you're interested in what the Certificate_Expiry_Redirect looks like, here it is:

image.png

 

Authorizations

Internal User Authorization

Sometimes you may want to test RADIUS access with an internal test user account.

Status Rule Name Conditions Profiles Security Groups Hits Actions
Test_User Network Access:Username EQUALS test_user PermitAccess Employees 0

 

RADIUS Probes

You may configure network devices or load balancers to send synthetic RADIUS queries.

Status Rule Name Conditions Profiles Security Groups Hits Actions
RADIUS_Probe Radius:User-Name STARTS_WITH radtest RADIUS_Probes - 0

 

Microsoft Active Directory Groups Authorizations

User Authentication with Microsoft Active Directory

You can do it by requiring the EAP-MSCHAPv2 protocol

Status Rule Name Conditions Profiles Security Groups Hits Actions
Employee
AND EAP-MSCHAPv2
subdomain.domain.com:ExternalGroups EQUALS subdomain.domain.com/Users/Domain Users
PermitAccess Employees 0

image.png We recommend using the Employees security/scalable group tag (SGT) to classify your users or devices by role. You may do this even if you are not doing software-defined access or group-based policy enforcement. If your network device does not support SGTs, it will simply ignore the RADIUS vendor-specific attribute (VSA) for the SGT.

 

Or by explicitly requiring a wired or wireless 802.1X authentication:

Status Rule Name Conditions Profiles Security Groups Hits Actions
Employee
AND
OR ⍠ Wired_802.1X
⍠ Wireless_802.1X
👥 domain.com:ExternalGroups EQUALS domain.com/Users/Domain Users
PermitAccess Employees 0

 

Machine Authentication with Active Directory (802.1X with EAP-TLS to AD)

Machine authentication using EAP-TLS for domain-joined computers with a certificate.

Status Rule Name Conditions Profiles Security Groups Hits Actions
Employee
AND ⍠ EAP-TLS
👥 domain.com:ExternalGroups EQUALS domain.com/Users/Domain Computers
PermitAccess Domain_Computers 0

image.png There is no Domain_Computers security/scalable group in ISE by default so you would need to create it.

 

Machine Authentication with Duo 2FA/MFA (802.1X with Web Authentication)

Machine authentication using EAP-TLS for domain-joined computers with a certificate followed by web authentication of a user against Duo Security with 2FA/MFA.

Status Rule Name Conditions Profiles Security Groups Hits Actions
Employee
AND 👥 duoSAML:ExternalGroups EQUALS Employees
⌸ Network Access:WasMachineAuthenticated EQUALS True
PermitAccess Employee 0
Domain Computer
AND ⍠ EAP-TLS
👥 domain.com:ExternalGroups EQUALS domain.com/Users/Domain Computers
MachineAuth Domain_Computers 0

image.png There is no Domain_Computers security/scalable group in ISE by default so you would need to create it.

 

EAP-Chaining: User and Machine Authentication using EAP-FAST)

Status Rule Name Conditions Profiles Security Groups Hits Actions
EAP-Chaining
AND ⍠ Network Access:EAP-Tunnel EQUALS EAP-FAST
⌸ Network Access:EapChainingResult EQUALS User and machine both succeeded
PermitAccess Employees 0

 

 

TEAP-Chaining with Tunneled EAP (TEAP)

TEAP is a new EAP protocol supported in ISE 2.7 and later.

Status Rule Name Conditions Profiles Security Groups Hits Actions
TEAP-Chaining
AND

⍠ Network Access:EAP Tunnel EQUALS TEAP

👥 domain.com:ExternalGroups EQUALS domain.com/Users/Domain Users

⌸ Network Access EapChainingResult EQUALS User and machine both succeeded

PermitAccess Employees 0
TEAP-Machine
AND

⍠ Network Access:EAP Tunnel EQUALS TEAP

👥 domain.com:ExternalGroups EQUALS domain.com/Users/Domain Computers

⌸ Network Access EapChainingResult EQUALS User failed and machine succeeded

MachineAuth Machine

TEAP-User
AND

⍠ Network Access:EAP Tunnel EQUALS TEAP

👥 domain.com:ExternalGroups EQUALS domain.com/Users/Domain Users

⌸ Network Access EapChainingResult EQUALS User succeeded and machine failed

EmployeeOnly Employees

 

Wireless Authorization Matching a Specific SSID

Wireless controllers offer many options for the RADIUS Called-Station-ID. If you want to match on a specific SSID, you will need to ensure that your Wireless controller sends the SSID in the RADIUS Called-Station-ID :

image.png

This allows you to match the SSID in your ISE authorization policy to provide the appropriate level of access for your wireless services (Guest vs Corporate vs BYOD, etc.) with a rule like:

Status Rule Name Conditions Profiles Security Groups Hits Actions
Guest_Wireless
AND ⌸ RADIUS:Called-Station-ID ENDS_WITH Guest
⌸ Guest_Flow
Internet_Only Guest 0

Remember that if you change your WLC's RADIUS:Called-Station-ID to something that does not end with :SSID then you affect your existing authorization policy rules with potentially bad affects!

 

MAC Authentication Bypass (MAB) Authorizations

Single MAC Address

When testing your policies, you may want to filter on one or more specific MAC addresses for your test device. For this you would use the Radius:Calling-Station-ID attribute:

Status Rule Name Conditions Profiles Security Groups Hits Actions
Test_Printer ⌸ Radius:Calling-Station-ID EQUALS 11-22-33-44-55-66 PermitAccess Printers 0

 

Multiple MAC Addresses

When testing your policies, you may want to filter on one or more specific MAC addresses for your test device. For this you would use the Radius:Calling-Station-ID attribute:

Status Rule Name Conditions Profiles Security Groups Hits Actions
Test_Printers
OR ⌸ Radius:Calling-Station-ID EQUALS 11-22-33-44-55-66
⌸ Radius:Calling-Station-ID EQUALS 11-22-33-44-55-77
⌸ Radius:Calling-Station-ID EQUALS 11-22-33-44-55-88
PermitAccess Printers 0

 

MAC OUI Wildcard

Similar to filtering on a single or multiple MAC, you may simply filter on the first 6 digits of the MAC address known as the IEEE Organizationally Unique Identifier (OUI) :

Status Rule Name Conditions Profiles Security Groups Hits Actions
Test_Printers ⌸ Radius:Calling-Station-ID STARTS_WITH 11-22-33 Permit_Access Printers 0

 

Profiling Authorizations

More to come!