Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1004
Views
0
Helpful
8
Replies

ISE Profiled devices not being used in authz policy.

steve.morgan101
Level 1
Level 1

‎06-12-2014 04:44 AM - edited ‎03-10-2019 09:47 PM

ISE is standalone.

ver 1.2

Eval license.

I have a number of Cisco IP phones profiled by DHCP probe and sitting in the Endpoint Identity Group "Cisco-IP-Phone" (dynamic not static).

However when this is used in an Authorization Policy it never matches.

Just a basic Policy:

if Cisco-IP-Phone (no conditions) then Cisco_IP_Phones ......no match.

I can change Identity group to ANY and it works.

Sure i must be misssing something but I've gone round and round with this.

Tried deleting enpoints and allowing them to repopulate....failed.

Tried changing endpoints to static with no luck.

Noticed the "Cisco-IP-Phone" group is under the "Profiled" group so tried using that in the policy....no change.

Whatever i've tried just ends with the Authz going to the "Default" policy.

Labels:
0 Helpful
8 Replies 8

nspasov
Cisco Employee
Cisco Employee

‎06-15-2014 02:49 PM

This is pretty straight forward and should work the way you expect it. Have you confirmed that the phone is not hitting some rule above the one that you have configured?

If possible paste the following:

1. Screen shot of  your policy/policy sets

2. Screen shot of the authentication from ISE

3. Output from the following command on the switch: show authentication session interface interface_name_number (this is the interface where the phone is connecting)

0 Helpful

steve.morgan101
Level 1
Level 1
In response to nspasov

‎06-16-2014 03:15 AM

Hi. thanks for getting back to me. I'll get these details soon as I can get back on the kit.

0 Helpful

steve.morgan101
Level 1
Level 1
In response to nspasov

‎06-17-2014 05:46 AM

Hi Sorry for the delay.

Can't get access to the access switch at the moment but all is reported as being ok. dot1x authentication  in data domain (no voice vlan in use).

I've attached some screens from the ISE.

01 shows phones picked up by profiler (dhcp).

02 shows phones profiled into "cisco-ip-phone" group.

03 is the authentication policy in use.

04 is the authorization policy (all except default set to monitor)

05 is the authn/authz completing.

06 is details for the phone mac ending 5490. To my eye shows the "any" policy firing on monitor and succeding on the "default"?

11, 12 and 13 are the same again except with all the authz policies enabled. 13 just seems to show the "any" rule succeding as expected.

Still cannot understand why the "Cisco-IP-Phone" group is just bypassing? Especially as these are just the default rules that already exist in the ISE out of the box!

Preview file
195 KB
Preview file
208 KB
Preview file
437 KB
Preview file
212 KB
Preview file
205 KB
Preview file
190 KB
Preview file
438 KB
Preview file
189 KB
Preview file
206 KB
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to steve.morgan101

‎06-21-2014 08:03 PM

Thank you for providing the detailed information. The problem is not with profiling as that appears to be working as expected. I believe that the issue is with your authentication policy. Looking at screen shot #2 you don't have a single policy that is enabled to allow a phone to authenticate via MAB. All of your MAB policies are showing as "disabled." The default policy is set to only use Internal Users as its Identity Store and phones won't be store there. You authorization policies look OK so I would suggest you try the following:

1. Enable the top authentication rule called "MAB"

2. Confirm that "Allow PAP/ASCII" and "Detect PAP as Host Lookup" are enabled under the Allowed Protocols

3. Ensure that "Internal Endpoints" is selected for the Identity Store

4. Test again

 

Thank you for rating helpful posts!

 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to steve.morgan101

‎06-21-2014 08:08 PM

I also noticed one more thing on screenshot #6. It looks like the phone hit your "dot1x_Certs" rule. According to your authentication policies in screenshot #3 the only way "dot1x_Certs" should be hit is when the device/user is using "Wired_802.1x" Thus, you need to confirm if this phone is configured to use 802.1x or not. By default the phone would use MAB and not 802.1x.

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎06-18-2014 04:44 AM

have you tried with "cdpCachePlatform" Attribute
 

0 Helpful

steve.morgan101
Level 1
Level 1
In response to Venkatesh Attuluri

‎06-18-2014 04:55 AM

Thanks for the reply.

Though I'll have to go away and look that up :-)

 

0 Helpful

steve.morgan101
Level 1
Level 1
In response to Venkatesh Attuluri

‎06-18-2014 06:34 AM

Hi, I've taken a look at the attribute you mentioned. Afraid i don't understand how you mean I should implement it?

Far as i can see all it would do is raise the certainty factor and move the endpoint into a child profiling policy i.e from "Cisco-IP-Phone" to "Cisco-IP-Phone -> Cisco-IP-Phone-8961".

The current Authz Policy should fire on any Identity (Cisco-IP-Phone) or child identity beneath it?

0 Helpful
Customers Also Viewed These Support Documents