ISE SGT user/machine priority, precedence

jonagy — Fri, 09 Feb 2024 20:56:16 GMT

My primary issue:

1. normally windows workstation without logged in user is authenticated and authorized as machine. When user logs in, the pdp role update occurs, where both, user and machine role appear in the same event, and the machine seems "stronger". In other words, some user logins, the previous machine SGT role remains in effect, and this is bogus.

I wish to have machine auth (SGT) be in effect for workstations when no logged in users present, but when an user successfully logs in, the user's SGT/role takes precedence, and matches against Access Role object as source SGT.

Example:

USER_SIMPLE_600 -- user auth by ISE dot1x

SIMPLE_MAB_400 -- machine auth by ISE MAB

[Expert@lab-cp-gw1:0]# pdp monit ip 172.30.110.82 Session: 596210f0 Session UUID: {85646C20-D324-7581-6728-65E6284D99D5} Ip: 172.30.110.82 Machine: sdatestpc@seclab.local {ddfde611} Groups: All Machines;SIMPLE_MAB_400 Roles: SGT_SIMPLE_MAB_400 Client Type: Identity Collector (Cisco ISE) Authentication Method: Trust Distinguished Name: CN=SDATESTPC,CN=Computers,DC=seclab,DC=local Connect Time: Fri Feb 9 16:23:43 2024 Next Reauthentication: Sat Feb 10 04:24:30 2024 Next Connectivity Check: - Next Ldap Fetch: Fri Feb 9 20:31:20 2024 Users: user600@seclab.local {1a2ee685} LogUsername: user600 (user600) Groups: All Users;USER_SIMPLE_600 Roles: SGT_SIMPLE_MAB_400;SGT_USER_SIMPLE_600 Client Type: Identity Collector (Cisco ISE) Authentication Method: Trust Distinguished Name: CN=user600,OU=Seclab Users,DC=seclab,DC=local Connect Time: Fri Feb 9 16:24:00 2024 Next Reauthentication: Sat Feb 10 04:24:30 2024 Next Connectivity Check: - Next Ldap Fetch: Fri Feb 9 21:38:01 2024 Packet Tagging Status: Not Active Published Gateways: Local

as a result here, the src IP 172.30.110.82 would match on "SIMPLE_MAB_400" rule, instead of "USER_SIMPLE_600"

There are separate Access Role objects, with corresponding "Identity Tag" objects for 400 and 600.

With other users (like "USER_SIMPLE_200") this works as expected, but not with the 600. I checked, and confirmed several times, no difference between users, only the tag number (SGT 200<400<600). No other difference. (incl. AD groups, ISE authorization, testing on the same switch port)

On the other hand, would it be possible to rely only on SGT, without LDAP query? (like, working only with radius, i.e. ISE local identities, and LDAP is not available)?

Thanks,

Gyula

Re: ISE SGT user/machine priority, precedence

PhoneBoy — Sat, 10 Feb 2024 02:08:23 GMT

The only way to retrieve groups is via LDAP or via SAML Assertion.

Re: ISE SGT user/machine priority, precedence

jonagy — Sat, 10 Feb 2024 09:45:32 GMT

Hi,

You mean SGT, not AD groups?

However, since the SGTs are associated with users by AD group membership basis on ISE, it seems to be more feasible to rely on AD based ID collector, if that is more reliable. Will see...

thanks

gyula

topic Re: ISE SGT user/machine priority, precedence in Firewall and Security Management

ISE SGT user/machine priority, precedence

Re: ISE SGT user/machine priority, precedence

Re: ISE SGT user/machine priority, precedence

Re: ISE SGT user/machine priority, precedence