Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
701
Views
3
Helpful
7
Replies

Removing ISE Authentication for PC Maintenance

mbahij
Cisco Employee
Cisco Employee

‎05-15-2018 08:26 AM

Hi,

One of my customer is facing an issue when on of the PC required IT maintenance.

Summary of issue faced:

Unable to authenticate the pc after technical support activities.

Exact cases to reproduce the error:

  1. 1- Des-join the pc from domain then à Do the required Maintenance on the PC then à try to rejoin it again. (Once dis-joined will lose the connectivity as long becomes not part of the domain).

2- Formatting the pc will lead to losing the connectivity as well.

3- Maintenance team need to engage ISE team in each time they need to do PC maintenance which is not practical.

Needed Solution:

To find a way for helpdesk representatives to be able to connect to the domain controllers and DHCP servers while doing the maintenance for the targeted pc.

Thank you for your support..

0 Helpful
7 Replies 7

gbekmezi-DD
Level 5
Level 5

‎05-15-2018 10:36 AM

You can do MAB with restricted access as a workaround. Also, you could do some type of internal portal that lets the technician choose a PC to put in a “maintenance” endpoint group and while that thing is in the maintenance group it does MAB and gets restricted access.

mbahij
Cisco Employee
Cisco Employee
In response to gbekmezi-DD

‎05-15-2018 10:41 AM

Hi George,

do you have a reference that showing how to do MAB and/or how to do this internal portal to be accessed by PC technician?

Thanks..

0 Helpful

paul
Level 10
Level 10
In response to mbahij

‎05-15-2018 10:53 AM

I would advocate setting up a Temporary Bypass Portal concept using the MyDevices portal.  I set this up on every ISE install to allow Help Desk and Desktop team to add a MAC address into a temporary bypass condition so they can reimage/troubleshoot an issue.  The temporary white list gets purged out every night.

Basic steps:

  1. Setup a RADIUS callback external authentication (RADIUS token server) definition so you can do AD group restrictions on My Devices portal.  Only the sponsor portal allows AD group restrictions, the other portals require us to do the RADIUS callback trick.  It is documented on the forums.  As a side comment "Cisco seriously this callback thing has gone on long enough, surely it can't be hard to add AD restriction to other portal besides the sponsor portal."
  2. Create a RADIUS callback sequence that uses the token server definition.
  3. Setup a policy set for the RADIUS callback to allow the desired AD groups in the authorization phase.
  4. Create an endpoint identity group to hold the Temp bypass MAC addresses.
  5. Create a purge policy to purge the endpoint identity group out everynight.
  6. Create a My Devices portal that use the RADIUS callback sequence and puts the MAC addresses into the endpoint identity group created in #4.
  7. Add a rule to your wired MAB policy set to allow the endpoint identity group created in #4 full access to the network.

paul
Level 10
Level 10
In response to paul

‎05-15-2018 10:55 AM

Also I have written a executable that uses the ISE APIs to automatically add the MAC address of the machine the executable is run on to the temp bypass whitelist.  Customers have added this to their build sequence.  Most customers just use the temp bypass portal though.

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to paul

‎05-15-2018 11:06 AM

How has the radius token been working well for you in the mean time?  I've had a client asking for authz rules on the my devices portal for over a year.  It is a much needed feature to be able to use AD/LDAP groups to provide my devices portal access.

The guest reg portal has it, why can't this one Cisco?

0 Helpful

paul
Level 10
Level 10
In response to Damien Miller

‎05-15-2018 11:13 AM

I used the RADIUS callback on every ISE install. I probably have 30+ installs using it and my colleagues us it as well.

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎05-15-2018 10:43 AM

While not a very elegant solution, this only works if the technicians are physically at the machine. Create a static endpoint ID group, assign technicians usb nic's into the group while documenting who owns them.  When they need to re-image a PC they can utilize the usb nic to gain network access.

Customers Also Viewed These Support Documents