Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Advisor

Identity Collector: ISE and AD continually over-writing each other on the PDP

@PhoneBoy- This is related to the question I asked on the IA tech-talk that you gave on Tuesday.

@Royi_Priov  - I hope this thread interests you!

@gpasikowski and @Jason_Buranen thanks for your assistance in troubleshooting this issue!

Overview

In our environment we are currently using Identity Collector to send Active Directory (AD) learned identities to the PDP GW.  This is working well.  However, we want to also connect Cisco ISE to Identity Collector so it can help us identify certain groups of non-AD connected devices.  The thought here is that all devices must use ISE to connect to the network (we are doing NAC, so every device must auth to join the network).  We can then tie a security group (SGT) to the specific types of devices we want to identify and use identity tags inside of access roles in our firewall policy.  

Problem

The problem we have run into is that AD and ISE learn about many of the same endpoints (for example, a domain-joined laptop), and therefore when identity collector forwards the identities as they are learned, the PDP continually over-writes the identity it has learned for a specific IP address.  This causes several issues:

  • When ISE overwrites an identity previously learned from AD, the access roles that are tied to AD are lost for that identity until identity collector receives and forwards another AD login event for that user/IP address.  This means the user no longer matches any identity-based rules tied to their AD userID.  (In our case, this would break access to almost all Internet sites)
  • Adds performance load to the PDP.  This is because identities are continually over-written on the PDP as they are learned from the two different sources.

Potential Solution

I would like to encourage Checkpoint R&D to develop a filtering mechanism within Identity Collector such that I can forward to the PDP only the identities that match a particular SGT / Security Group.  This would allow me to only send identities learned by ISE for the non-AD connected devices, and not all the other devices that AD already knows about.  This would allow the firewall policy to work as designed for AD joined devices, and allow me to configure rules with Access Roles containing ISE Identity tags for the non-AD joined devices.  This also will improve performance on the PDP because it would no longer have to manage all the un-necessary identities learned by ISE that I cannot filter out.

Specific Example

I hope the following example can clarify what is going on here:

  1. Laptop connects to network port (no user logged in).  ISE learns the identity and forwards to the PDP (note, in this example, ISE assigns the laptop an SGT named ‘Employees’):
    1.JPG

    Note: If ISE learns the identity via 802.1x, identity collector forwards it as a “user” identity and not a machine identity.  In this example, ‘sh263886’ is the CN of the computer cert used for the 802.1x authentication.

  2. I login to the laptop.  AD logs the login event, and Identity Collector forwards it to the PDP (both machine and user identities).  PDP replaces the ISE identity with the AD identities.  My AD groups are learned and access roles provisioned:
    2.JPG

    I can now surf as a normal authenticated user.  Everything works.

  3. If I disconnect from the wired network (eg. I become undocked to go to a meeting), ISE detects that I have logged off, and Identity Collector sends a logoff event to the PDP.  The PDP removes my identity completely from it’s database:
    3.JPG
  4. When I reconnect to the network, ISE learns the identity, but without any AD Group information.  Due to 802.1x auth, the user identity is now learned as the computer name (sh263886@sh-qa.org).  This results in the user losing Internet access until a new AD login event is generated.  Sometimes this happens quickly, sometimes it can take 15-30+ minutes, depending on what applications are running on the computer. 

    Here is the ISE login on the PDP:
    4.JPG
    Here is the UserCheck page that shows the ISE identity that was learned (basically, the PDP only knows about the ISE identity, and because there is no AD info, the user is denied Internet access):
    5.JPG

  5. Eventually, AD logs a login event, the ISE learned identity is overwritten, and things begin to work normally as they should:
    6.JPG

This behavior definitely occurs when a laptop is docked/undocked.  It also occurs as ISE performs re-auths periodically throughout the day.  So, this could lead to 'intermittent' issues for end users.

Please let me know your thoughts, and any potential workarounds or solutions!  Again, I think the best solution might be adding functionality to Identity Collector to filter based on ISE SGT/Security Groups.

12 Replies
Highlighted
Admin
Admin

Maybe Captive Portal with Kerberos would be a potential solution here.
The idea being that the Captive Portal can request the Kerberos ticket from the PC and associate the AD user with the IP address.

Likely, the best approach would be to deploy the Identity Agent on the end user PC.

Highlighted
Advisor

I really don't want to have to deploy the identity agent on 30,000+ PCs.  I'm not sure I could even get the buy-in from management to have to deploy another agent on our workstations.  A centralized solution would be much preferred here.

Highlighted
Admin
Admin

I can totally understand that which is why I suggested Kerberos + Captive Portal as an option.
I know you and/or your account team had a side conversation with R&D about adding the desired function to Identity Collector or similar.

0 Kudos
Reply
Highlighted
Admin
Admin

@Peter_Elmer Can you add anything here?

0 Kudos
Reply
Highlighted
Employee+
Employee+

Hey,

R80.40 contains new mechanism called PDP conciliation. 

The mechanism allows to support multiple associations per IP instead of keep overriding the existing one.

Therefore, two associations coming from the same collector will live together, in your case ISE and AD.

 

Assaf,

Highlighted
Advisor

I don't think PDP conciliation will help here.  The problem is both identities come to the PDP from Identity Collector.  According to "Example 3" in the IDA Admin Guide, multiple identities from Identity Collector will always override each other:

-------------------------

Example 3

The PDP received an Identity Collector session, and then received a new identity from Identity Collector on the same IP address.

The conciliation decision is to override the existing Identity Collector session based on the TTL factor and because only a single Identity Collector session can exist per IP address.

-----------------

Also, I would want the identity to be over-written if IDC learns a new AD login for a device.  The problem here is Identity Collector learns the same identity from multiple sources (AD and ISE), but for PDP conciliation the "source" of the identity is the same (Identity Collector).

Filtering at the Identity Collector level would also alleviate the PDP from expending processing power to do the conciliation of the identities.  This is beneficial since the PDP is not yet a multi-threaded process.

Highlighted
Employee+
Employee+

Hey,

Are those user sessions?

If yes, you can try the following command,

'pdp conciliation idc_multiple_users'

Highlighted
Collaborator

Maybe you can install a second IDC exclusivly for ISE events, then contact support to reconfigure the PDP to prioritze events from the AD IDC to events from the ISE IDC. According to sk146835 support should be able to change the default behaviour.

Highlighted
Advisor

@assafal Some of them are user sessions and some of them are machine sessions.  I've noticed that ISE treats it as a user session if it was captured via 802.1x authentication and treats it as a machine session if it uses MAB (MAC address based) authentication.  So, ultimately, it is both.

@Benedikt_Weissl thanks for finding that.  I'll open a TAC case and see what info I can glean from that.  I'll do some testing in my lab as well to see if this could be a good workaround.

Ultimately, though, it would be nice to filter the identities closer to home on the identity collector.

0 Kudos
Reply
Highlighted
Advisor

@Benedikt_Weissl I confirmed with TAC that having ISE and AD configured on different identity collector servers would not fix this.  Because they both have a source of identity collector, identity conciliation will continue to overwrite the identities.  You can't prioritize one identity collector server over another one.

0 Kudos
Reply
Highlighted
Collaborator

Dang it, I've really hoped a second IC would fix that. Thank you for the feedback!

Highlighted
Employee+
Employee+

Identity session conciliation behavior can be change by using the following command:

'pdp conciliation idc_multiple_users'

It will append IDC sessions instead of override them

 

Thanks,

 

0 Kudos
Reply