Hi, all.

We are having a little trouble using the correct operand in an authorization condition, here is what we are trying to accomplish:

In our 802.1x environment, ISE is profiling all devices, including the printers.

Up untill now, all printers (different vendors) are authenticated using MAB (because the "old"printers are not able to carry a certificate), identified by profiling and if correctly identified, authorised into the printer vlan.

Now it has been decided to get rid all the old printers and replace them with new models (by Xerox) that are capable of carrying and using (internal) certificates to authenticate with EAP-TLS and NOT use MAB !!! Great idea !!

However, this creates the small problem of "onboarding" the printers, since they neither have an internal certificate, nor 802.1x enabled when they arrive. To do that, they need to be given temporary access to the network so that the new printers can be discovered (SNMP) by the Xerox Management server and have the certificate put onto them ....

We try to build that "onboarding process" by using the profiling feature of ISE, in the following way:

When the new (and unknown to ISE) device gets plugged into network, the first thing ISE learn about it is the MacAddress.
The MacAddress then gets assigned to the EndPoint Policy:
Xerox-Device

At this point we try to give the device RESTRICTED Access using MAB for Authentication and a specific DACL which only allows common network services (like DHCP, DNS, SNMP, etc.) and access from and to the ISE deployment (for NMAP scanning, etc.).

To achieve this we try to use the EndpointPolicy attribute in the Endpoints dictionary:

When this restricted (Phase1) access is given to the device, it will be NMAP scanned by ISE after it has requested a DHCP IP address, ISE will also evaluate parameters from that request.

After all these parameters have been evaluated, the device has been reprofiled with more detail now, it is no longer just a "Xerox-Device", it has been recognized as a Xerox-Printer or even a Xerox-Altalink-Printer:

Like this:

or this:

As you can see in the pictures, the Xerox Endpoint Policies are nested, meaning a device profiled as Xerox-Printer or Xerox-Altalink-Printer also has the Xerox-Device in that complete policy name ....

We tried to make good use of that, by inserting another "onboarding" phase 2 into the process, like this:

Phase 1:
- Device profiled as Xerox-Device (via Mac)
- gets authenticated via MAB (using the EndPoint:EndPointPolicy EQUALS Xerox-Device attribute in a condition)
- restricted access to network services and ISE only
- Device request DHCP, is nmap scanned
- very short Reauth-Timer (minutes only)

Phase 2:
- Device is re-profiled as Xerox-Printer / Xerox-Altalink-Printer
- gets re-authenticated via MAB (using the EndPoint:EndPointPolicy EQUALS Xerox-Device:Xerox-Printer attribute in a condition)
- restricted access to network services, ISE and Xerox Management Server
- 2 hours Reauth-Timer (time to discover and configure the device)
- Device gets discovered by Xerox Management Server, gets internal certicate, gets configured for .1x/EAP-TLS

Both of the stages are referenced in one authorization rule:

And here is the problem:

No printer device will ever reach the Stage 2-Rule, because the condition of phase 1 (EndPoint:EndPointPolicy EQUALS Xerox-Device) always catches, no matter if the device has already been profiled more detailed  !!!!!

Why might that be ?? I thought, that the operand EQUALS only hits, when EXACTLY the same EndPointPolicy String is present ... ???
Here it seems that EQUALS also means CONTAINS ....

Which operand is correct here ???

ISE 3.1, Patch 7 btw.

Rgs

Frank