12-29-2021 02:07 PM
in ISE , I will create many authorization profile and each one include the specific parameters (VN name, SGT name , Pool name) and this parameters should match the names in the DNA
If i have Authorization profile 1 VN ENG SGT HR Pool name 172.16.1.1_HR
Authorization profile 2 VN ENG SGT Engineer Pool name 172.17.1.1_ENG
My question now
In the host Onboarding (DNA), If i have the two ports and there is 802.1x configuration but i need the first port when it successful authentication , take the authorization profile 1 and the second port take the authorization profile 2
so How the port know which authorization profile will use , If there is command under the port point to the name of the authorization profile to check it with ISE ?
01-03-2022 01:13 AM
Hi waleed_matter,
you may want to have a look at this: https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430
You will need to add the Authorization Profiles to Authorization Policies. Within this Policies you will be able to control which Endpoints/Ports/Sessions will get which Authorization Profile. So ISE will tell the switches which Attributes to use for each Radius Session.
Maybe Cisco Live Session BRKCRS 3810 is also helpful to you.
01-03-2022 10:52 AM
Hi Benjamin-A
Thanks for your update and i read it before and this is the reason for my question , If you will check the port configuration which is highlighted by yellow in the doc (G1/0/24) , You will see it is normal commands under the port so my question if there is any command will be under the port and it will associate to the specific authorization name to match it in the ISE because sure there will be many authorization profiles (each one has different VN , Vlan id , pool name ) in ISE so how the port know which authorization profile will use it from the ISE ?
or when the user make the authentication successfully through the ISE , There will be an authorization profile and it will be associated to this authentication profile for this user
G1/0/24----Authentication ok through ISE (ISE will check this authentication profile associate to which authorization profile which will include the VN Name & Vlan id & pool then the ISE will select it and provide the Vlan id and the VN name and pool name and apply it to the port to get the IP and mask and GW accordingly correct ?
01-03-2022 12:51 PM
Thanks for your answer so as i mentioned in the last post
when the user make the authentication successfully through the ISE , There will be an authorization profile and it will be associated to this authentication profile for this user
G1/0/24----Authentication ok through ISE (ISE will check this authentication profile associate to which authorization profile which will include the VN Name & Vlan id & pool then the ISE will select it and provide the Vlan id and the VN name and pool name and apply it to the port to get the IP and mask and GW accordingly
As the traditional request flow
01-03-2022 11:28 AM
Hi,
sorry hopefully got is this time
For a fabric site you will choose one template OpenAuth, ClosedAuth, LowImpact etc. After doing so each Access Port will be confiured by default with the same configuration. In the example OpenAuth will be used.
The Authorization Profiles nor a link to them will be configured within the Port Configuration or the Source Template. They are all the same.
I am not a ISE specialist but from the concept (some flows can be found here https://community.cisco.com/t5/security-documents/collection-of-ise-auth-and-service-flows/ta-p/3641835
Endpoint / User connects to Access Port
Based on the order the Authenticator (Edge Node) will first try 802.1X or MAB Authentification
Authenticator will send an RADIUS Access Request to ISE
ISE will flow its internal process to authenticate the Ednpoint User
After successfull authentication it will go through its internal process of authorization based on priority etc.
Within this process it will match an Authorization Profile
If successfull it will send back a Radius Access-Accept with the AVPs (attribute value pairs) listed (cts:security-group-tag, VN, Tunnel-Type etc. [listed in the picture])
If you use the command "show access-session interface <int> detail" you will see the assignments per port. There could be multiple per port too, as it is dynamic authentication/athorization via Radius.
It is almost exactly the same as within traditional networks where you use Radius to authenticate Endpoints. There you will assign VLANs or dACLs. But Port Config stays the same
06-25-2022 01:48 PM
Thanks for your update but i am confused from open authentication and closed authentication as the cisco doc. closed authentication , once the user succeeded to authenticate , it can get the dhcp and all the services but the open authentication it doesnt need to go authentication process 802.1x to get DHCP or DNS services like no authentication so what is difference between open authentication and no authentication
06-25-2022 02:07 PM
Another name for Open Authentication is "Monitor mode". Which is mainly used during initial phases of deployment or migrations to make sure that clients can authenticate with their respective credentials or certificates without denying the access to the network.
With Open Authentication you can also determine if a client is capable of using dot1x or not, which devices have correct credentials, correct certificates, dynamically start adding endpoints to the endpoint database in ISE based on their MAC addresses, etc.
Once you confirm that your clients are working with Open Auth/Monitor mode, you can change the template to Closed if access control is required for these hosts.
06-25-2022 02:17 PM
Thanks for your update so open authentication like simulation for the authentication or test but at the end we can accept or deny the user if he failed or succeeded in the authentication through the ISE correct ? then after we sure that the authentication will work , we can change it to closed authentication (real) correct?
06-25-2022 02:26 PM
Yes, that is correct. With Open Auth you will see RADIUS log events for clients connected in Open Auth ports, and determine if the authentication flow is correct before changing to Closed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide