This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jonagy
Explorer
‎2024-02-09 08:22 AM

ISE SGT user/machine priority, precedence

Hi

 

My primary issue:

1. normally windows workstation without logged in user is authenticated and authorized as machine. When user logs in, the pdp role update occurs, where both, user and machine role appear in the same event, and the machine seems "stronger". In other words, some user logins, the previous machine SGT role remains in effect, and this is bogus.

I wish to have machine auth (SGT) be in effect for workstations when no logged in users present, but when an user successfully logs in, the user's SGT/role takes precedence, and matches against Access Role object as source SGT.

Example:

USER_SIMPLE_600  -- user auth by ISE dot1x

SIMPLE_MAB_400 -- machine auth by ISE MAB

 

 

[Expert@lab-cp-gw1:0]# pdp monit ip 172.30.110.82

Session:  596210f0
Session UUID:  {85646C20-D324-7581-6728-65E6284D99D5}
Ip:  172.30.110.82
Machine:  
 sdatestpc@seclab.local {ddfde611}
   Groups: All Machines;SIMPLE_MAB_400
   Roles: SGT_SIMPLE_MAB_400
   Client Type: Identity Collector (Cisco ISE)
   Authentication Method: Trust
   Distinguished Name: CN=SDATESTPC,CN=Computers,DC=seclab,DC=local
   Connect Time: Fri Feb  9 16:23:43 2024
   Next Reauthentication: Sat Feb 10 04:24:30 2024
   Next Connectivity Check: -
   Next Ldap Fetch: Fri Feb  9 20:31:20 2024

Users:  
 user600@seclab.local {1a2ee685}
   LogUsername: user600 (user600)
   Groups: All Users;USER_SIMPLE_600
   Roles: SGT_SIMPLE_MAB_400;SGT_USER_SIMPLE_600
   Client Type: Identity Collector (Cisco ISE)
   Authentication Method: Trust
   Distinguished Name: CN=user600,OU=Seclab Users,DC=seclab,DC=local
   Connect Time: Fri Feb  9 16:24:00 2024
   Next Reauthentication: Sat Feb 10 04:24:30 2024
   Next Connectivity Check: -
   Next Ldap Fetch: Fri Feb  9 21:38:01 2024

Packet Tagging Status:  Not Active
Published Gateways:  Local

 

 

as a result here, the src IP 172.30.110.82 would match on "SIMPLE_MAB_400" rule, instead of "USER_SIMPLE_600"

There are separate Access Role objects, with corresponding "Identity Tag" objects for 400 and 600.

With other users (like "USER_SIMPLE_200") this works as expected, but not with the 600. I checked, and confirmed several times, no difference between users, only the tag number (SGT 200<400<600). No other difference. (incl. AD groups, ISE authorization, testing on the same switch port)

 

2.

On the other hand, would it be possible to rely only on SGT, without LDAP query? (like, working only with radius, i.e. ISE local identities, and LDAP is not available)?

 

Thanks,

 

Gyula

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2024-02-09 06:08 PM

The only way to retrieve groups is via LDAP or via SAML Assertion.

0 Kudos
jonagy
Explorer
‎2024-02-10 01:44 AM
In response to PhoneBoy

Hi,

You mean SGT, not AD groups?

However, since the SGTs are associated with users by AD group membership basis on ISE, it seems to be more feasible to rely on AD based ID collector, if that is more reliable. Will see...

thanks

gyula

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-13 07:24 AM
In response to jonagy

You can define the relevant groups in Cisco ISE as Identity Tags, which can be used in the policy.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events