Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1313
Views
0
Helpful
10
Replies

How to Implementing ise 1.2 authentication user name against mac address

leemaclalit
Level 1
Level 1

‎09-01-2014 11:26 PM - edited ‎03-10-2019 09:59 PM

Hi all,

My organization wants to authenticate medical devices with certificate.

What I'm trying to do is on the certificate the name of the user will be his mac address,

And the ise policy will be if the user name equal to mac address than he authenticate.

Until now I didn’t succeed.

Is it possible?

Lee.

Labels:
0 Helpful
10 Replies 10

nathan demers
Level 1
Level 1

‎09-02-2014 07:16 PM

It sounds like you are trying to do two different things.

The certificate can be done through 802.1x using peap   I dont know if your devices can handle dot1x so if not they can use MAB.  Far less secure but if its a low level device like a printer that has limited input capability then you are stuck with MAB.  

 

What you could do with MAB is use the OUI and some other identifying information (if available) like device host names (This can be derived from DHCP i believe) and possibly av pairs (RADIUS) to help profile the devices.  These can be put into a custom endpoint profile that is given a specific authorization rule.

The whole point is to try to isolate certain types of equipment so that only they get the custom authz rule 

 

Does this make sense?  Im shooting a little blind here without more info.

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎09-03-2014 12:04 AM

If I am understanding this correctly you are trying to perform EAP-TLS authentication and you want the x509 principle username to be the MAC address of the authenticating device? Is that correct?

0 Helpful

leemaclalit
Level 1
Level 1
In response to nspasov

‎09-07-2014 02:40 AM

Thanks for your reply,

This exactly what I'm trying to figure.

On the email field in the certificate I putted the mac-address of the device.

And on my ISE I checked this field as the user name x509.

I attached an image from my ISE.

You can see that the user name and the mac address are the same.

The problem is that I can't authenticate them as I want:

User name=mac address. 

Lee.    

Preview file
75 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to leemaclalit

‎09-07-2014 03:33 PM

It looks like your Authorization Profile isn't formed to properly catch the "username" part. Can you share your Policy section with the AuthZ profile?

0 Helpful

leemaclalit
Level 1
Level 1
In response to Marvin Rhoads

‎09-09-2014 05:18 AM

This What I tried so far ,

The Authentication is work fine but the Authorization failed.

If any and radius:user name equals radius:calling stations-ID then permitAccess,

or this one:

If any and radius:calling stations-ID equals certificate:Subject-email(this filed is configure to mac-address) then permitAccess,

thanks,

Lee.

 

 

Preview file
39 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to leemaclalit

‎09-09-2014 08:56 AM

I'm in an ISE class this week and it was suggested to me that you should configure and use a Certificate Authentication Profile (found under Administration, Identity Management, External Identity Sources). Then use that profile in your policy.

You may need to use a field other than email address as the ISE PSN may do some  validation checking to look for a well-formed email address (i.e with an "@" sign in the attribute).

0 Helpful

leemaclalit
Level 1
Level 1
In response to Marvin Rhoads

‎09-10-2014 05:14 AM

Hi Marvin,

I already did it. 

This Why I can see the username as my Mac address from the specified field of the email.

If you see the first picture that I upload, you can see that the ISE recognize the user id as the Mac-address.

this is not the problem.

what i'm trying to do is to "lock" device to Certificate because i don't want That someone will install that certificate on another device.

If anyone have any idea how to do this it I'l be grateful.

Thanks,

Lee.     

Preview file
31 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to leemaclalit

‎09-10-2014 04:01 PM

You first asked about how to avoid failing authorization. Now you mention wanting to lock the use of that certificate to a specific device. Those are two separate issues.

For the first, please share the results of your authorization from the Operations page.

For the second, you should be able to make a compound condition using both the certificate and information from a profiling source that will include the actual MAC address. Several sources can give you this - DHCP profiling, RADIUS accounting, IOS sensor etc. Which to use depends on your environment's capabilities and design. 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to leemaclalit

‎09-09-2014 01:49 PM

The authentication process is definitely failing (based on the screenshot that you posted). Before I can provide more help I will need screen shots showing all details around the Policy Set that you are using. 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to leemaclalit

‎09-09-2014 04:12 AM

I agree with Marvin, we need some more info. If possible please paste some screenshots of your authorization policy and details of the conditions/results. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents