ISE Endpoint Identity Group assignment for 802.1x clients

Similar Messages

• IP address Assignment for 802.1x Client

  Working on a Wireless deployment using 802.1x and a question has come up regarding Address Assignment.
  The design requires wireless vlan assignment based on username and Active Directory group assignment.
  The simplest way to provide dynamic addressing would obviously be multiple DHCP Scopes on a server and use ip helper functionally to provide relay servers.
  Another option (I think) would be to create IP address pools in the ACS server based on ACS group and have ACS pass it back as part of the authentication process. I'm wondering if this is even a valid option with 802.1x authentication. It seems to me that it would cut down on alot of the traffic assoiciated with a DHCP discovery/request/offer conversation as the number of wireless clients start to grow.

  Err, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
  There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
  peter

• ISE 1.2 - Match Policy Set based on endpoint identity group?

  Hello, I would like to create a condition that would force MAB'd clients to hit a certain policy set if their MAC address matches one in an endpoint identity group? Is this possible? I feel like a condition can be created using a combination of attributes, but I cannot seem to hit on it properly. Thanks.

  The cleanest way to to this would be to dedicate:
  1. (Wired) A test switch where all of your test devices are connecting. You can then build a policy set that matches against that NAS.
  2. (Wireless) A test SSID and/or a controller (virtual or 2504). You can then build a policy set that is dedicated to that SSID 
  Thank you for rating helpful posts! 

• ISE Identity Group Assignment

  I need to avoid a large set of devices to get access to Internet through the Wireless Guest Service. I had made some test and know I can block a MAC address through the Policy Authorization (If Blacklist then DenyAccess).
  In order to blacklist a large set I would like to import the MAC list and include in the CSV the Identity Group Assignment. It appears it is not possible ... I can have an easy way to change the Identity Group Assignment instead of one by one?
  Regards.
  Daniel Escalante.        

  Additional Information and Question:
  Currently my Authorization Policy has this:
  The result is that any user trying to acesss the Guest Service can see the Guest Portal, introduce Credentials and if they are valid, the AUP is displayed, after that if the device is in the Blacklist, service is denied and the Guest Portal is displayed again, but any message about the situation is indicated to the user. I wonder if I can generate a message and even avoid the AUP if the device is in the blacklist.
  Any comment will be greatly appreciated.
  Regards.
  Daniel Escalante

• Static Identity Group Assignment

                     Does anyone know a way to bring in an endpoint with the following attributes?
  Endpoint Policy Name       Static = True
  Static Group Assignment   Static = True
  The 1.2 manual says;
  If the file used for import contains endpoints that have their MAC addresses, and their assigned endpoint profiling policy is the static assignment, then they are not re-profiled during import. 
  To change a dynamic assignment of an endpoint identity group to static, check the Static Group Assignment check box. If the check box is not checked, then the endpoint identity group is dynamic as assigned by the profiler based on policy configuration.
  Statically Profiled Endpoints
  An endpoint can be profiled statically when you create an endpoint with its MAC address and associate a profile to it along with an endpoint identity group in Cisco ISE. Cisco ISE does not reassign the profiling policy and the identity group for statically assigned endpoints.
  A) Does anyone know a way to import from an LDAP database and maintain the Static Group Assignment = True.
  I successfully do an LDAP import of the MAC and Endpoint Group (which comes in as True) but the Static Group Assignment has the Endpoint Group Assignment correct but static is false unchecked.  I don't want these profiling any more.  These are thousands of endpoints and I do not see any way to do a bulk change.  I have tried exporting and re-importing but that doesn't really scale.
  B) Would creation of an endpoint group that is not part of the Profiled endpoint group change the behavior I see above when I do my LDAP import?
  If there were a way to do the bulk selection and change the static property or the Static Group Assignment that would be of huge benefits.  The changes apply to the fields selected within the endpoints while maintaining the MAC property of the endpoint.
  Thanks in advance for any suggestions.

  James,
  That is possible but do you have the dhcp probe enabled and have you thought about setting up an ip helper statement or assigning the ISE node as one of the dhcp servers on the WLC?
  There is a built in check such that if the dhcp class identifier contains MSFT will profile the endpoint as a windows workstation.
  However if this is not the case then you can create the following condition under the Policy Elements > Conditions > Profiling > New Profiler Condition, you will use the create (advanced...) then select NMAP > 135-tcp > then set the operator EQUAL to msrpc.
  Then go under the Microsoft-Workstation and select the option to create a matching identity group (its much easier rather than using the heirarchy option) and set the certainity factor 30. Then add this new condition and set the certainity to 30 also.
  Hope that helps,
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• AuthZ Policy using specific Endpoint Identity Groups

  I am trying to create an AuthZ policy that will identify if a device is in specific Endpoint Identity Group.  See policy below.
  I used the IdentityGroup:Name attribute Equals the Identity Group MAB_Devices.  Please note that there are NO Identity groups listed in the dropdown options, so I typed in the name.   Alas, the rule is not working.   Anyone have advise on what I am doing wrong?  Thx

  Bransomar, your screenshot is an Authentication policy rule but you should do it in Authorization policy. Authentication policy sorts out requests by request method and origin and assigns an identity store to each.

• ISE 1.2, Supplicant configured for 802.1x but need to MAB

  I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
  If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
  Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
  Thanks in advance

  Maybe the held-period and quite-period parameters would help.  I would not change the TX period to anything shorter than 10 seconds.  Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds. 
  Read this doc for best pratices including the timers listed below.  
  I hope this link works.  http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
  If not goto www.ciscolive365.com (signup if you havn't already) and search for
  "BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
  Change the dot1x hold, quiet, and ratelimit-period to 300. 
  held-period seconds
  Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
  quiet-period seconds
  Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
  following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
  ratelimit-period seconds
  Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.

• Manage System Center Endpoint Protection (SCEP) policies for Internet-based clients

  Hi,
  I've recently change my SCCM configuration in order to allow internet-based clients registered in our domain to communicate with our primary site server. The objectives were to let us manage the SCEP policies of these clients and receive alerts
  when they're infected even when they are on the road, so not connected to the local network.
  Now, everything seems to be in place; PKI certificates for server and client, the DNS is configured, firewall route too...but I still cannot update the policies of my client when it's not connected to the local network.
  I'm able to reach my primary site from my client when connected outside the network, but the policies won't update until I connect to the local network.
  Is it actually possible to manage the policies and receive alerts from internet-based clients like I'm trying to do?
  Thank you very much for your help

  It's going to come down to log checking at this point to find where the failure is happening or the connection is not happening.
  Initiate a machine policy refresh and watch the two logs noted above.
  CAS.log may also be helpful as well as locationservices.log and clientlocation.log.
  Try deploying an app as well and watch the logs.
  Also, if the client is not properly getting policy, there's no way for it to know that you disabled client CRL checking on the site.
  Jason | http://blog.configmgrftw.com
  Ok so now I see an error in clientlocation.log that might be the cause of my problem.
  [Domain joined client is in Internet]
  [Rotating internet management point, new management point is : SERVER.DOMAIN.COM ...
  [Unable to retrieve AD forest + domain membership] <- Pretty sure this is related to my issue
  I guess it's because my AD schema is not extended, is that right?
  EDIT: I thought this was the issue, but the AD schema seems to be extended already. Any idea of what could cause this error?
  EDIT: Do I need to open ports in order for my client to be able to reach the AD or something? I thought that was the MP's job once we granted him full control access on the AD. Am I wrong?

• Reassign endpoint identity group en masse in ISE

  I imported a large number of endpoint identities and unfortunately some of them weren't correctly identified and I assigned them the wrong endpoint profile. The endpoints I need to move into another group all share a common OUI. Is it possible to move them all at once? I can't seem to find any way to do this.

  Tom,
  You can use the filter option in order to get the filter for the endpoints that are profiled incorrectly (perhaps the OUI you entered), check the select all option on the top left, and then export those endpoints. After you export the endpoints you can edit the group that you want to change them to, and then reimport this file back into ISE, this will change this back for you.
  I just tested this in my setup and worked fairly well.
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• Responsible Group Assignment for Interaction Record

  The Functional configuration team is trying to determine how to assign an interaction record to Responsible Group and not to an individual User.   If anyone has any suggestions or experience with how the responsible group can work, it would be greatly appreciated.
  Thanks

  Hi pamela
  Currently you have the parner function Interaction center agent in you Interaction record i.e why it is assigning it to the user.
  Interaction Record of ICWC is nothing but a business activity in the CRM online system ,if you want the responsible group to be attached to the Interaction record ,please assign the partner function Responsible Group to the Partner determination procedure assigned to your business activity as stated by sridhar..
  hope this resolves your Query
  Cheers!!
  Regards
  Raj

• ISE Authentication cache in CWA for Guest

  Ciao,
  do you known how I can cache a guest authentication ? 
  For example a Guest connect to guest SSID (open); authenticate using CWA (ISE and WLC). After that every time the guest logoff and login,  no authentication is required during the same days.
  Thanks

  You can find "Automatically register guest devices /Allow guests to register devices"  option here -> Guest Access > Configure > Guest Portals > Create, Edit or Duplicate > Portal Behavior and Flow Settings > Guest Device Registration Settings.
  using this option -Automatically create an endpoint for the device from which the guest is accessing this portal. The endpoint will be added to the endpoint identity group specified for this portal and is subject to the identity group's purge policy.
  An authorization rule can now be created to allow access to endpoints in that identity group, so that web authentication is no longer required.
  And you have "ActivatedGuest" option in 1.2

• Cisco ISE: How to match an endpoint belong to an identity group ?

  Hello,
  I am running Cisco ISE 1.1.4.218 in a standalone environment.
  I am trying to setup Compound Condition for Authorization.
  I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.
  I created 1 endpoint identity group and 2 children groups
  - GroupParent
       - ChildA
       - ChildB
  I put the MAC address of my machine in the group ChildA.
  In my condition, I tried the following:
  IdentityGroup:Name, Equals, ChildA
  IdentityGroup:Name, Equals, GroupParent:ChildA
  IdentityGroup:Name, Match, .*(ChildA).*
  I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:
  IdentityGroupName, Equals, GroupParent
  IdentityGroupName, Match, .*(GroupParent).*
  But no one of these options worked.
  I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.
  Can anyone help me ?
  Best regards,
  David

  You could try the following to match only the parent group
  IdentityGroup:Name EQUALS GroupParent
  You could try the following to match only child group A
  IdentityGroup:Name EQUALS GroupParent#ChildA
  You could try the following to match all child groups of GroupParent
  IdentityGroup:Name STARTS_WITH GroupParent
  Please rate if this helps

• ISE 1.2 Multi-Portal Identity Group Mapping

  Hi,
  Quick question regarding the use of Multi-Portal on ISE 1.2: Is it possible to map a single portal to a certain identity group? e.g. I have a portal for guest users, to which only users in the "ACME_guests" identity group can authenticate. I have a separate Portal for employees, where only users of the "ACME_employees" group can authenticate.
  I know that I can specify a separate authentication sequence for each portal (e.g. internal, guests, AD), but I cant find a possibility to map a group to a certain portal. This has the consequence that e.g. guest users can log into the employee portal, and getting a successful authentication message. Of course I can further restrict the access in another policy rule, but this isnt a very neat solution.
  Anybody have any ideas? It seems so basic that it has to be possible somehow?!
  Regards

  You can redirect users so they can "stick" to one portal once they have successfully authenticated. There is a document regarding device registration web authentication. Basically after a user connects successfully you can redirect them to an AUP specially designed to statically assign users to a specific endpoint identity group.
  In the end if a user logs into portal A they hit the DRW and accept, ISE dumps them into a endpoint group called PortalA, you can then tie this into a policy where the PortalA endpoint is denied association to any other open ssid you have in your design.
  Here is the document -
  https://supportforums.cisco.com/docs/DOC-26667
  Tarik Admani
  *Please rate helpful posts*

• ISE 1.1.1 - RegisteredDevices Identity Group

  Working on building a ISE 1.1.1 system to match our internal security policies, and have hit a dilemma. Here goes:
  The requirement states that there need to be differing network authorization profiles for different device types: Domain PCs, Non-Domain Workstations, iPads, and iPhone/Android Phones. Also, all (other than IP Phones and printers) endpoints must be self-registered by the user (My Devices workflow in CWA) who operates them so they appear in the My Device Portal.
  In the authorization rules, there appear to be no way to create a  authorization rule to match a "profiled workstation" AND a "registered  device".
  This is because within ISE, any endpoint that is "registered" joins the RegisteredDevices Identity Group, and is no longer a part of the configured indentity group created by the profiling system. For instance, a profiled Win7-Workstation is a member of the profiler-created Workstation IG until it is registered, then it becomes a member of the RegisteredDevices Identity Group.
  So basically, it appears ISE does not support per-devicetype(from profiler) authorization rules *while also* supporting device registration ("My Devices").
  Or am I missing something?

  Here is a screenshot of the rule in question:
  and here is the breakout of the Compound condition called WorkstationOSs, based on your recommendation:
  Without this compound condition, the authorization is matched. With it there, it is not matched, even though the endpoints are profiled as such.

• ISE 1.3 Identity Group

  Hello,
  in the old ISE 1.2 my guest users (created by the sponors portal) where put into a own created identity group called RU2_id_grp.
  How can I realize this on ISE 1.3. In ISE 1.3 the users fall always into the GuestType_Group which was created by the ISE.
  I need the sepearete groups for my authorization policy.
  Regards
  filip

  OK, then DESELECT the option above and do this:
  Navigate to Guest Access > Settings > Guest Locations and SSIDs.  Enter the locations to which your sponsors will assign guests:
  Remember to Save.
  Now to Guest Access > Configure > Sponsor Groups.  Click Create:
  Once you place your cursor in the text box for Select the locations that guests will be visiting, you will see the locations you created in the last step.
  Now assign the User Group to be associated with this Sponsor Group by clicking the Members... button:
  Click OK, then Save.
  This should do it for you.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton