Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
2
Helpful
3
Replies

Specific profiles for specific locations

Go to solution
bricrock
Cisco Employee
Cisco Employee

‎06-18-2018 08:32 AM

An existing, successful ISE deployment is looking to expand to include new departments.  However, these departments are reluctant to participate in ISE because they fear disruption.  For the purposes of this question, let's consider Departments A-G to be existing participants in the ISE deployment.  The new departments will be Departments H and I.

As a first step towards adoption, two new PSN's will be deployed for the purposes of collecting profile/device data from  network devices located in Departments H and I -targeting a sort of Monitor Mode configuration.

Understanding that we can create AuthC policies based on authenticating NAD, how can we then profile these endpoints separately from the existing, working endpoint groups/profiles into new, dedicated endpoint groups/profiles specific to these departments?


For example, we don't want a Windows workstation in Department H to be profiled as simply a "Windows10-Workstation"; but, rather, as a "DeptH-Windows10-Workstation".  Or an Unknown device to be profiled in a separate "DeptH-Unknown" group so that we can talk to the department admins and develop accurate checks (e.g. they may use a different model of printer than what we've accounted for).


Initial thoughts are to use a parent Profiler Policy for the department. This Parent Policy would include a condition of the authenticating NAD.  Child Profiler Policies could then be created, as needed, to refine Unknowns or others.  But this doesn't seem to take priority over the other policies.  Can something be configured in the Policy Set to force a particular endpoint group and set of profiling policies?


Thank you,

Brian

1 Accepted Solution

Accepted Solutions

Go to solution
bricrock
Cisco Employee
Cisco Employee
In response to bricrock

‎06-18-2018 12:05 PM

I figured this out: I had to increase the certainty factor for the custom profile in order for it to supersede the Windows10-Workstation profile.  Once that was done, proper group assignment followed, as expected.

Hopefully we don't have too many custom profiles with high certainty factors.

Thank you,

Brian

View solution in original post

3 Replies 3

Go to solution
adarshane
Level 1
Level 1

‎06-18-2018 11:15 AM

Hello Brian,

Profiling policies are global. For a windows computer to be profiled separately as DeptH-Windows10-Workstation, it needs to send its hostname in a particular format or send some form of dhcp class identifier and you have to match that in a profiling condition on ISE.

The easiest way I think to differentiate building H and I end-devices is,

1) Create new Network device group aka tag for these NADs under Network Devices List > New Network Device

2) Create a separate authorization policy to match this tag and have it assigned built-in Monitor_Profiled authorization

for example,

Rule Name = Monitor_Policy

Condition = Profiled Identity Group (Windows 10, MAC, Printer etc)

Permissions = Monitor_Profiled

This way you can tag NADs separately for building H and I  and end devices authenticated on those can have a different authorization policy.

Once the monitoring period is over, you can change the tag on the NADs and bring them under common authorization policy without making a major change.

Hope this helps!!

Regards,

Amod

0 Helpful

Go to solution
bricrock
Cisco Employee
Cisco Employee
In response to adarshane

‎06-18-2018 11:48 AM

Thanks, Amod.

However, the issue isn't with the Network Device or Policy differentiation; but with the assigned Endpoint Profile and Endpoint Group.

The correct policy is being hit, but the endpoint is receiving the generic Windows10-Workstation Endpoint Profile and, as such, isn't getting placed into the correct/expected Endpoint Group.

Ideally, this is what would happen:

Endpoint authenticates to a switch in Department H via MAB, is assigned the parent profile of DeptH_Device, additional attributes may further profile the endpoint to the child profile of DeptH_Printer, and the device is placed into the endpoint group "DeptH_Printer".  AuthZ policy is simply PermitAccess (we're not trying to affect any network control).

I feel like I'm close, but that I'm not taking into account some default behavior of the ISE.

Thanks again,

Brian

0 Helpful

Go to solution
bricrock
Cisco Employee
Cisco Employee
In response to bricrock

‎06-18-2018 12:05 PM

I figured this out: I had to increase the certainty factor for the custom profile in order for it to supersede the Windows10-Workstation profile.  Once that was done, proper group assignment followed, as expected.

Hopefully we don't have too many custom profiles with high certainty factors.

Thank you,

Brian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents