Machine Attribute Check in ISE. CAN IT BE DONE?

Admin Eastland · ‎09-09-2013

Hello,

I'm trying to build a BYOD policy in ISE 1.2. I would like ISE to get machine attributes as part of the authorization policy. Can this be done? I'm not talking about machine authentication. I need something that could be checked at anytime.

Thanks for any help!

jan.nielsen · ‎09-09-2013

Not sure what you mean by machine attributes, are you talking about hardware settings on some device , or attributes on a machine account in windows active directory ?

Admin Eastland · ‎09-09-2013

Something I can use on computers to differentiate a corporate asset from a BYOD asset.

jan.nielsen · ‎09-09-2013

Well, if you are using your regular internal CA to issue certs for corp. assets, and another CA for BYOD via ISE provisioning for example, you can use elements from your devices cert in authorization rules.

Something like :

Corp cert issuer=internalca.corp.local

Byod cert issuer=byod.whatever.local

Jan

Admin Eastland · ‎09-09-2013

The devices are using PEAP

Naveen Kumar · ‎09-10-2013

I have seen in ISE 1.2 configuration guide that we can do the Machine authentication using AD, and once the Machine authenticate and authorised, profiling may happen and we can see the attributes: Please check the below link:

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wp1062522

harvisin · ‎09-10-2013

HEllo,

Cisco ISE retrieves user or machine attributes from Active Directory for use in authorization policy rules. These attributes are mapped to Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.

Cisco ISE performs user and group membership lookups via LDAP to an Active Directory. Group membership is used to map sponsor users to the corresponding sponsor group in ISE. And if the user is not directly in an Active Directory group, but is a member of a group that is a member of the Active Directory group (nested groups), the user authorization is rejected.

User authentication on an authorization policy fails if the rule contains an Active Directory group name with special characters such as /!@\#$%^&*()_+~

you can also follow the below link_

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_authz_polprfls.html#wp1205205

aqjaved · ‎09-11-2013

Machine Access Restriction for Active Directory User Authorization

Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.

Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the "Time to Live" parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.

When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:

•

If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.

•

If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.

Please check the below link.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wpxref41479

blenka · ‎09-18-2013

Step 1Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2Click the Attributes tab.

Step 3Choose Add > Add Attribute to add a new attribute or choose Add > Select Attributes From Directory to choose a list of attributes from the directory.

NoteWhen you enter an example user name, ensure that you choose a user from the Active Directory domain to which the Cisco ISE is connected.When you choose an example machine to obtain machine attributes, be sure to prefix the machine name with “host/.” For example, you might use host/myhost.

Step 4Enter a name for a new attribute if you choose to add an attribute.

Step 5Check the check boxes next to the attributes from Active Directory that you want to select, and click OK.

Step 6Click Save Configuration.If you choose to add attributes from directory, enter the name of a user in the Example User field, and click Retrieve Attributes to obtain a list of attributes for users. For example, enter admin to obtain a list of administrator attributes. You can also enter the asterisk (*) wildcard character to filter the results.