@PhoneBoy- This is related to the question I asked on the IA tech-talk that you gave on Tuesday.
@Royi_Priov - I hope this thread interests you!
@gpasikowski and @Jason_Buranen thanks for your assistance in troubleshooting this issue!
In our environment we are currently using Identity Collector to send Active Directory (AD) learned identities to the PDP GW. This is working well. However, we want to also connect Cisco ISE to Identity Collector so it can help us identify certain groups of non-AD connected devices. The thought here is that all devices must use ISE to connect to the network (we are doing NAC, so every device must auth to join the network). We can then tie a security group (SGT) to the specific types of devices we want to identify and use identity tags inside of access roles in our firewall policy.
The problem we have run into is that AD and ISE learn about many of the same endpoints (for example, a domain-joined laptop), and therefore when identity collector forwards the identities as they are learned, the PDP continually over-writes the identity it has learned for a specific IP address. This causes several issues:
- When ISE overwrites an identity previously learned from AD, the access roles that are tied to AD are lost for that identity until identity collector receives and forwards another AD login event for that user/IP address. This means the user no longer matches any identity-based rules tied to their AD userID. (In our case, this would break access to almost all Internet sites)
- Adds performance load to the PDP. This is because identities are continually over-written on the PDP as they are learned from the two different sources.
I would like to encourage Checkpoint R&D to develop a filtering mechanism within Identity Collector such that I can forward to the PDP only the identities that match a particular SGT / Security Group. This would allow me to only send identities learned by ISE for the non-AD connected devices, and not all the other devices that AD already knows about. This would allow the firewall policy to work as designed for AD joined devices, and allow me to configure rules with Access Roles containing ISE Identity tags for the non-AD joined devices. This also will improve performance on the PDP because it would no longer have to manage all the un-necessary identities learned by ISE that I cannot filter out.
I hope the following example can clarify what is going on here:
- Laptop connects to network port (no user logged in). ISE learns the identity and forwards to the PDP (note, in this example, ISE assigns the laptop an SGT named ‘Employees’):
Note: If ISE learns the identity via 802.1x, identity collector forwards it as a “user” identity and not a machine identity. In this example, ‘sh263886’ is the CN of the computer cert used for the 802.1x authentication.
- I login to the laptop. AD logs the login event, and Identity Collector forwards it to the PDP (both machine and user identities). PDP replaces the ISE identity with the AD identities. My AD groups are learned and access roles provisioned:
I can now surf as a normal authenticated user. Everything works.
- If I disconnect from the wired network (eg. I become undocked to go to a meeting), ISE detects that I have logged off, and Identity Collector sends a logoff event to the PDP. The PDP removes my identity completely from it’s database:
- When I reconnect to the network, ISE learns the identity, but without any AD Group information. Due to 802.1x auth, the user identity is now learned as the computer name (email@example.com). This results in the user losing Internet access until a new AD login event is generated. Sometimes this happens quickly, sometimes it can take 15-30+ minutes, depending on what applications are running on the computer.
Here is the ISE login on the PDP:
Here is the UserCheck page that shows the ISE identity that was learned (basically, the PDP only knows about the ISE identity, and because there is no AD info, the user is denied Internet access):
- Eventually, AD logs a login event, the ISE learned identity is overwritten, and things begin to work normally as they should:
This behavior definitely occurs when a laptop is docked/undocked. It also occurs as ISE performs re-auths periodically throughout the day. So, this could lead to 'intermittent' issues for end users.
Please let me know your thoughts, and any potential workarounds or solutions! Again, I think the best solution might be adding functionality to Identity Collector to filter based on ISE SGT/Security Groups.