Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2467
Views
0
Helpful
3
Replies

ISE Endpoint Identity Group assignment for 802.1x clients

andrewswanson
Level 7
Level 7

‎01-30-2015 03:39 AM - edited ‎03-10-2019 10:23 PM

Hello

I'm using ISE 1.3 to 802.1x authenticate AD PC's (machine and user with Anyconnect NAM) and to profile/mab IP Phones, printers, APs etc.

Phones are profiled (EndPointSource of SNMPQuery Probe) and are placed automatically in the correct Identity Group.

AD PC's aren't profiled and are listed under Endpoints withthe Enpoint Profile of "unknown"

To place AD PC's into a particular Identity Group, I created a Radius Profiling Policy to match on the Framed-IP-Address. This works well with the AD PC appearing in the correct Identity Group (with EndPointSource of RADIUS Probe).

My questions are:

  • A phone (profiled with EndPointSource of SNMPQuery Probe) consumes a Plus licence but an AD PC ("profiled" with EndPointSource of RADIUS Probe) does not - is this correct?
  • Authenticated 802.1x AD PC's have other attributes (like AD-Host-Resolved-DNs) that I'd like to use to assign PC's to an Identity Group. I can't use these attributes with any of the ISE profilers - is there a way to assign an 802.1x authenticated client to an Identity Group at the authorisation stage rather than use the profiler?

Thanks
Andy

2 people had this problem
Labels:
0 Helpful
3 Replies 3

derrick.ray1
Level 1
Level 1

‎10-04-2016 09:54 AM

Hi Andy,

Were you able to figure this out?

0 Helpful

andrewswanson
Level 7
Level 7
In response to derrick.ray1

‎10-04-2016 11:25 PM

Hi Derrick. No, I was moved off this work and didn't get it resolved. I'll be looking at ISE again soon so I'll post any findings.

Cheers

Andy

0 Helpful

Joseph Johnson
Level 1
Level 1

‎10-05-2016 07:37 AM

The phone consumes a Plus license because you are using a profile to authenticate/authorize the connection. Technically, the PC consumes a Plus license as well but only during the profiling process. It is released after profiling if you do not use the profiling information in an authorization rule.

Endpoint groups are based on profiling or guest assignment (which is kind of like the probe based profiling). I have not seen any way to assign a 802.1x authenticated device to an endpoint group outside of profiling.

ISE 2.1 has an AD profiling probe built in if you want to build an endpoint group based on the AD join point of the PC. It was not available in previous ISE releases. You can use that to profile AD joined computers and automatically add them to an endpoint group. You can find more information here:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200553-Configure-ISE-2-1-Profiling-Services-bas.html

Using that and the resulting endpoint group in an authorization rule would consume a Base and Plus license (base for authentication, Plus for the profiling based authorization).

0 Helpful
Customers Also Viewed These Support Documents