cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1166
Views
0
Helpful
9
Replies

ISE Authorization Rule

NETAD
Level 4
Level 4

Hello, what would be a good authorization rule to authorize PCs to be imaged. They’re not on the domain and they will be applied a dacl that gives access to the imaging server and internet only. I’m trying to distinguish it from the default authorization policy which matches anything and gives Internet access only.

1 Accepted Solution

Accepted Solutions

Well you need the machine to not match your existing AuthZ rules, most ideas I come up with require you to have some manual intervention.

- You could add the computer to an AD group for re-imaging purposes, if AuthZ rule matches then allow access to the Imaging server. You'd place that rule above the normal AuthZ rule though.

- If you are re-imaging a current machine, if you disabled the machine in AD you could create a rule to match on account disabled and apply an AuthZ rule allowing access to the imaging server. I can think of reasons why you wouldn't want to do that.

- If your desktop team image machines from a specific vlan you could match on the vlan the machine is connecting from and allow access to the imaging server.

View solution in original post

9 Replies 9

Hi, You could create an Endpoint group, add the MAC addresses of the machines to be imaged to that group and then create an AuthZ rule allowing only that Endpoint group access to the Imaging server and the internet via the DACL.

You could create a MyDevices portal to allow staff only the ability to add mac addresses to the group.

HTH

Thanks RJI, now this fine but would require us to manually enter the mac addresses everytime a PC needs to be re-imaged. Do you recommend any other way?

Well you need the machine to not match your existing AuthZ rules, most ideas I come up with require you to have some manual intervention.

- You could add the computer to an AD group for re-imaging purposes, if AuthZ rule matches then allow access to the Imaging server. You'd place that rule above the normal AuthZ rule though.

- If you are re-imaging a current machine, if you disabled the machine in AD you could create a rule to match on account disabled and apply an AuthZ rule allowing access to the imaging server. I can think of reasons why you wouldn't want to do that.

- If your desktop team image machines from a specific vlan you could match on the vlan the machine is connecting from and allow access to the imaging server.

The vlan option is actually what I’m looking for but I didn’t know that’s possible. I thought ISE could drop them into a vlan but not authorize based on a vlan. What radius attribute should I use yo get that accomplished?

Using the vlan as part of a condition is only supported in IBNS2.0 configuration on the switches, if you are using that you could specify "Tunnel-Type" or "Tunnel-Private-Group-ID".

If you are using IBNS 1.0 configuration on the switches, perhaps you could use the "NAS-IP-Address" - assuming that the machines are re-imaged from a certain switch?

How can I tell which IBNS version I'm running?

 

If the interfaces on your switches have the following commands similar to below, then you are using IBNS 1.0

interface GigabitEthernet1/0/1
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto

If you are using IBNS 2.0 you would have class and policy maps defined globally and not the interface level commands above.

hmm ok yea then IBNS 1.0. Thanks for your help on this. I will try NAS-IP-Address and hope that they will image from just one switch.

Hey RJI, can I bother you with one more thing? I'm trying to get dot1x working in my lab but I'm struggling a little. I have a win7 machine joined to a domain with a GPO enforcing dot1x PEAP with MSCHAPv2 and the dot1x service is started but the authentication request keeps missing the dot1x authentication policy for some reason and decides to do MAB instead. I attached my configs and debugs. Can you take a look and let me know if I'm missing something or something is missconfigured somewhere.

 

AUTHE-POL.PNGAUTHOR-POLICY.PNGRADIUS-LOG-AUTH.PNG

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: