cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
902
Views
0
Helpful
8
Replies

SD-ACCESS (Host onboarding with ISE)

waleedmatter
Level 1
Level 1

in ISE , I will create many authorization profile and each one include the specific parameters (VN name, SGT name , Pool name) and this parameters should match the names in the DNA 

If i have Authorization profile 1 VN ENG  SGT HR Pool name 172.16.1.1_HR 

Authorization profile 2 VN ENG SGT Engineer Pool name 172.17.1.1_ENG

 

My question now

 

In the host Onboarding  (DNA), If i have the two ports and there is 802.1x configuration but i need the first port when it successful authentication , take the authorization profile 1 and the second port take the authorization profile 2 

so How the port know which authorization profile will use  , If there is command under the port point to the name of the authorization profile to check it with ISE ?

8 Replies 8

Benjamin-A
Level 1
Level 1

Hi waleed_matter,

 

you may want to have a look at this: https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430

You will need to add the Authorization Profiles to Authorization Policies. Within this Policies you will be able to control which Endpoints/Ports/Sessions will get which Authorization Profile. So ISE will tell the switches which Attributes to use for each Radius Session.

Maybe Cisco Live Session BRKCRS 3810 is also helpful to you.


.:|:..:|:.Please rate helpful posts.:|:..:|:.

waleedmatter
Level 1
Level 1

Hi Benjamin-A

 

Thanks for your update and i read it before and this is  the reason for my question , If you will check the port configuration which is highlighted by yellow in the doc (G1/0/24) , You will see it is normal commands under the port so my question if there is any command will be under the port and  it will associate to the specific authorization name to match it in the ISE  because sure there will be many authorization profiles (each one has different VN , Vlan id , pool name )  in ISE so how the port know which authorization profile will use it from the ISE ?

 

or when the user make the  authentication successfully through the ISE , There will be an authorization profile and it will be associated to this authentication profile for this user 

 

G1/0/24----Authentication ok through ISE (ISE will check this authentication profile associate to which authorization profile which will include the VN Name & Vlan id  & pool then the ISE will select it and provide the Vlan id and the VN name and pool name and apply it to the port to get the IP and mask and GW accordingly correct ?

 

 

Thanks for your answer so as i mentioned in the last post

 

when the user make the  authentication successfully through the ISE , There will be an authorization profile and it will be associated to this authentication profile for this user 

 

G1/0/24----Authentication ok through ISE (ISE will check this authentication profile associate to which authorization profile which will include the VN Name & Vlan id  & pool then the ISE will select it and provide the Vlan id and the VN name and pool name and apply it to the port to get the IP and mask and GW accordingly 

 

As the traditional request flow 

Benjamin-A
Level 1
Level 1

Hi,

sorry hopefully got is this time  

For a fabric site you will choose one template OpenAuth, ClosedAuth, LowImpact etc. After doing so each Access Port will be confiured by default with the same configuration. In the example OpenAuth will be used. 

The Authorization Profiles nor a link to them will be configured within the Port Configuration or the Source Template. They are all the same.

 

I am not a ISE specialist but from the concept (some flows can be found here https://community.cisco.com/t5/security-documents/collection-of-ise-auth-and-service-flows/ta-p/3641835

Endpoint / User connects to Access Port

Based on the order the Authenticator (Edge Node) will first try 802.1X or MAB Authentification 

Authenticator will send an RADIUS Access Request to ISE

ISE will flow its internal process to authenticate the Ednpoint User

After successfull authentication it will go through its internal process of authorization based on priority etc. 

Within this process it will match an Authorization Profile

If successfull it will send back a Radius Access-Accept with the AVPs (attribute value pairs) listed (cts:security-group-tag, VN, Tunnel-Type etc. [listed in the picture])

 

If you use the command "show access-session interface <int> detail" you will see the assignments per port. There could be multiple per port too, as it is dynamic authentication/athorization via Radius. 

It is almost exactly the same as within traditional networks where you use Radius to authenticate Endpoints. There you will assign VLANs or dACLs. But Port Config stays the same


.:|:..:|:.Please rate helpful posts.:|:..:|:.

Thanks for your update but i am confused from open authentication and closed authentication as the cisco doc. closed authentication , once the user succeeded to authenticate , it can get the dhcp and all the services but the open authentication  it doesnt need to go authentication process 802.1x to get DHCP or DNS services  like no authentication so what is difference between open authentication and no authentication 

Another name for Open Authentication is "Monitor mode". Which is mainly used during initial phases of deployment or migrations to make sure that clients can authenticate with their respective credentials or certificates without denying the access to the network.


With Open Authentication you can also determine if a client is capable of using dot1x or not, which devices have correct credentials, correct certificates, dynamically start adding endpoints to the endpoint database in ISE based on their MAC addresses, etc.

Once you confirm that your clients are working with Open Auth/Monitor mode, you can change the template to Closed if access control is required for these hosts.

 

 

 

waleedmatter
Level 1
Level 1

Thanks for your update so open authentication like simulation for the authentication or test  but at the end we can accept or deny the user if he failed or succeeded in the authentication through the ISE correct ? then after we sure that the authentication will work , we can change it to closed authentication (real) correct?

Yes, that is correct. With Open Auth you will see RADIUS log events for clients connected in Open Auth ports, and determine if the authentication flow is correct before changing to Closed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: