09-05-2018 06:52 AM - edited 09-05-2018 06:53 AM
I would like to create an auth rule that only runs once when a new device connects to my network via RADIUS for the first time. For example, a new iPhone attempts to authenticate on the network, it passes AD auth and then will require this second form of auth as well. On any future auth attempts, it will bypass the second auth since it has already successfully authenticated previously (assuming it passed both auth methods on the first connection attempt). Is there a variable I can use to check if a device has been previously successfully authenticated (passing both auth methods)? Thanks!
09-05-2018 07:22 AM
How do you envision this first auth working? At the network level you have MAB and Dot1x. If the device is configured to do Dot1x, which a phone can be configured to do, it will do Dot1x every time. If you are talking MAB there are no credentials unless you bring the session into a portal in ISE and collect them. At that point you could then map the device into an identity group. That identity group could be allowed on for future connections.
Not sure exactly what you are trying to accomplish.
09-05-2018 07:28 AM - edited 09-05-2018 07:30 AM
The profile currently uses Dot1x with AD as the auth. This second auth will be an external RADIUS token server that will only require auth if the device has not successfully authenticated before.
Here is the workflow:
New iPhone (first time connecting to network) -> Authenticate with AD creds -> Receive two-factor push notification -> Network Access granted
Existing iPhone (has already passed both auth methods previously) -> Authenticate with stored AD creds -> Network Access granted
09-05-2018 07:35 AM
09-05-2018 07:43 AM
I do have some devices without a browser (notably some Cisco IP Phones) but I understand your idea. I guess I was really looking for a way to identify a "trusted" device. Is there any way to implement your idea without the need for the guest portal? Side note: the second level auth will take the standard RADIUS creds used for AD authentication.
09-05-2018 07:39 AM
09-05-2018 07:45 AM
Hmmmm, well I intended on using Duo for the second level auth but I also have AAD Premium at my disposal. I would really use whichever one works best.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide