Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1609
Views
1
Helpful
6
Replies

ISE Authorization Profile Question

ALAN MURRAY
Level 1
Level 1

‎09-09-2013 07:25 PM - edited ‎03-10-2019 08:52 PM

Hi,

We are implementing ISE at a university and using dynamic VLAN allocation to segment the traffic into vlans of a manageable size - we do not want to use geographically based vlans for a number of reasons. However there is one scenario which I am struggling with.

A number of students will be living in university owned houses which are not directly connected to the university network. In these houses an ISP will provide an ADSL circuit. These ADSL circuits will be aggregated back at the university data centre and will connect down one piece of wire to the university network. I haven't completed my testing yet but the general theory is that we can use multi-auth to allow them on to the network and apply appropriate access restrictions (these restrictions will differ from those applied to those applied when they connect "on campus") . However, in order to do this, I will need to create an authorization policy based on where they are coming from (ie what switch and what port). I can see how I can use Identity Groups to identify which switch the traffic is coming from but for the life of me I have no idea how I would identify the port.

Anyone have any ideas how I might achieve my goal?

Thanks

Alan              

Labels:
0 Helpful
6 Replies 6

Muhammad Munir
Level 5
Level 5

‎09-19-2013 10:53 PM

Hi

Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources. The authorization policy result is Cisco ISE assigning an authorization profile that might also involve a downloadable ACL specifying traffic management on the network policy enforcement device. The downloadable ACL specifies the RADIUS attributes that are returned during authentication and that define the user access privileges granted once authenticated by Cisco ISE.

An authorization profile acts as a container where a number of specific permissions allow access to a set of network services. The authorization profile is where you define a set of permissions to be granted for a network access request and can include:

A profile name

A profile description

An associated DACL

An associated VLAN

An associated SGACL

Any number of other dictionary-based attributes

blenka
Level 3
Level 3

‎10-18-2013 04:58 PM

I hope you should use data flow monitoring tool.

Cisco NetFlow data records exported by routers and switches consist of expired traffic flows with detailed traffic statistics useful to monitor bandwidth and network traffic analysis. These flows contain information about source and destination IP addresses along with the protocols and ports used in the end-to-end conversation.

0 Helpful

Peter Koltl
Level 7
Level 7
In response to blenka

‎10-21-2013 02:01 PM

Do you mean you handle the off-campus switches as NADs and control each of those switchports with ISE?

Why do you need to differentiate based on port number?

0 Helpful

ALAN MURRAY
Level 1
Level 1
In response to Peter Koltl

‎10-21-2013 03:51 PM

Hi Peter,

No - I don't mean to handle the off-campus switches as NADs.

The reason I may need to differeniate according to port number is the external switches over which I have no control will, in all probability, be connecting to a single switchport in my network. The users concerned will have different rights depending on whether they are connecting from Halls of Residence which are not owned an operated by the university or whether they are connecting on-campus. It's all to do with how I write my authorization policies.

The good news is that thanks to the information I have received I've figured out what I need to do.

Thanks to all who have helped - sorry I didn't reply to all posts individually but you have all been a great help.

0 Helpful

Peter Koltl
Level 7
Level 7
In response to ALAN MURRAY

‎10-21-2013 11:05 PM

So you're planning cascading switches and make the 802.1X frames from off-campus clients appear on that single switchport? I'm afraid that's not possible as the remote switch would not forward EAPOL frames. Only hubs are suitable for such multi-auth scenarios.

There is a technology called Network Edge Access Topology (NEAT) that resembles your needs but the ADSL part is still an obstacle.

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1473337

0 Helpful

ALAN MURRAY
Level 1
Level 1
In response to Peter Koltl

‎11-05-2013 02:48 PM

Thanks to all who have answered here - it has given me a lot of useful information. However as we have progressed in our design and testing phase we have moved away from the idea of using multi-auth as a solution. We are now looking at security group tags for all our security requirements.

Regards

Alan

0 Helpful
Customers Also Viewed These Support Documents