So I am beginning to roll out our ISE deployment to some test groups and I am wondering if there is a better way to do a few things. So far we ended up going with AnyConnect as the endpoint agent for domain machines.
We have the NAM profile for the corp network set to check for both Machine Auth and User Auth by cert
AD is currently pushing a machine cert for ISE for any machine added to the domain and an ISE user cert for domain user logging on.
Dot1x Auth checks these and then goes to our rules setup to check against our internal identity groups for various permissions.
for MAB we have exceptions for Printers, IP Phones, cameras etc. TAC also helped me setup a catch rule since CDP/LLDP profiling can be slower then the auth process, this helped catch some devices that weren't getting profiled properly
Then the rest of MAB devices get sent into the guest self registration portal. Domain users and Contractors can register their devices and get guest dACLs from the portal.
This all works great.. mostly... but I've run into some fringe circumstances that I'm wondering how to solve and if there's a better way to do our initial Dot1x auth.
So two scenarios that I have run into: Freshly imaged machines, they get added to the domain during imaging and get their certs, but until a user logs in they will not have a user cert to check. Similarly, a normal domain machine sitting on the network with no user currently logged in will fall into the MAB auth session until someone logs in. Normally a user doesn't notice as it will re-auth as they are logging in, find their cert, and auth as Dot1x, but remote workers trying to remote to that desktop won't be able to since its in a guest portal sequence with a redirect ACL on its port.
So here's where I'm a little unsure which direction to go. I think I can do some work-arounds. I am thinking I can put in a catch authentication rule for just having the machine cert but I can't do this in the Dot1x sequence as it will fail since its set in the NAM profile to look for both machine and user certs. I think I can put it at the begging of the MAB sequence and put them with a dACL that has the necessary access for domain/RDP/AD etc.
The other idea was to remove the user auth from the NAM profile and just try to add an AD user rule to the Dot1x policy set but this seems to defeat the purpose of having our user cert.
I could use some insight on how this is typically handled for others. I'm also a little torn on how to fully handle BYOD vs true guest. Any help is appreciated.
No comments:
Post a Comment