Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
0
Helpful
5
Replies

ISE Web Authentication with Profile

lomonaco
Level 1
Level 1

‎07-28-2014 04:59 AM - edited ‎03-10-2019 09:53 PM

   Hi,

   I'm using Web Authentication with Cisco ISE 1.2.1 without problems.

   The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication

   But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use

   the Web Authentication cause the endpoint is already in the internal endpoint store.

   What's the better way to solve this problem ?

   Thanks in Advanced

 

   Andre Gustavo Lomonaco

 

 

  

Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎07-29-2014 01:12 AM

Make sure that the "Identity Store" or the "Identity Store Sequence" selected in your authentication is not set to "Internal Endpoints."

 

Thank you for rating helpful posts!

0 Helpful

lomonaco
Level 1
Level 1
In response to nspasov

‎07-29-2014 12:39 PM

 

    Hi Neno, let me clarify my question

    I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.

    Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

  

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to lomonaco

‎07-29-2014 01:59 PM

So a couple of things:

1. If you are on ISE v1.2.x then you can create policy sets which will allow you to separate the authentication scenarios

2. If you can't use policy sets and you must use the "Internal Endpoints" in the identity sequence, then you just need to make sure that your "Allowed Protocols" is set to allow "PAP_ASCII - Host Lookup." That way the authentication will pass and the session will be send to the authorization step

 

Thank you for rating helpful posts!

0 Helpful

Peter Koltl
Level 7
Level 7
In response to nspasov

‎07-30-2014 12:47 PM

You should use Endpoint Identity Groups (e. g. IP Phones, Access Points and Printers) in the Authentication and Authorization policy rules instead of just matching a rule if an endpoint is present in the database. The profiled workstations will not get into IPphone or AP group and will not circumvent web auth.

0 Helpful

manjeets
Level 3
Level 3

‎11-18-2014 11:22 PM

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_30_ise_profiling.pdf

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents