Lab Minutes Forum
Technical Discussion => Security => Topic started by: bberry on May 06, 2015, 02:05:29 PM
-
OK .. I have another odd question. How does one handle the need for a PC having a static IP address?
Senario - Network admin PCs are statically set so they can have remote device security set so they only their network can access devices.
With DHCP I can use a policy that checks to make sure they are in the admin AD group and their devices are "corporate assets". With static, if they unplug their corporate asset and plug in say their laptop it gets an IP address in the same address space. They then have access to at least all other admin PCs in the address space.
Suggestions???
brent
-
Hi Brent, Not sure if I follow. Your ISE policy should be setup so that the device/user get network access only after a successful user and/or machine authentication regardless of how the machine are assigned IP; DHCP or static. What are you trying to accomplish or prevent?
-
Then maybe I have something configured wrong or missed a concept.
There is a VLAN configured on the switch and the PC normally gets an IP address from that VLAN. This is then used in the authentication process. In the case of the static devices this VLAN has to match the static IP address so once again it can participate in the authentication process. If the user unplugs their static device and plugs in their personal device they get a DHCP IP address from that same VLAN. All authentication fails and the user ends up with the web auth policy as they system sees them as a guest. The user can still ping other devices in that VLAN because of the DHCP address on that VLAN.
Thinking back through the whole process, I need to go back and probably separate web auth processes for both wired and wireless? This is not an issue with wireless as the VLAN used only has access to the internet and ISE. Now that wired is there I am lumping those VLANs into the mix and have the bleed through to other devices on the same VLAN.
I am now thinking I actually need is an ISE dedicated VLAN that everything starts in and then once authenticated moved to the appropriate new VLAN for access to network resources. This would allow machine access for windows to do what it needs to do before the user actually signs on but for some reason the transfer from this to user authentication is not working.
Brent
-
For wired, I would recommend keeping things simple and avoid doing dynamic VLAN assignment, and instead relying on dACL to enforce access. If you really want to keep guest on a separate VLAN, configure guest VLAN on the switchport as a starting VLAN. Then,
1. If machine or/and user authentication succeeds, assign user to the secured production VLAN. This is regardless of whether it is using static IP or DHCP
2. For true guest, the 802.1x authentication would fail and the user will failover to MAB and can be redirected to guest portal. Once logged in, guest stays on same VLAN with internet only access.
For wireless, since you will have two separate SSIDs for internal and guest, they would be mapped to separate VLANs already so there is nothing you need to do additionally.
-
Hi,
No your question is not odd and is very realistic!!!
As you said the scenario is the laptop of an admin lets say that travels inside your company and needs a dedicated IP address to follow it in order to have access to a DMZ
Well the answer is YES and NO:) if i remember this could be made if you play with the attributes assign lets say on a authz profile apart from vlan and dACL Radius:Framed-IP-Address the IP that you wish and then do the same on the AD on the user in the description field again the same IP address.
It never worked for me and i searched very much that matter.
Well what i know is that this feature will present on version 2.0 this autumn :)
-
Hi,
No your question is not odd and is very realistic!!!
As you said the scenario is the laptop of an admin lets say that travels inside your company and needs a dedicated IP address to follow it in order to have access to a DMZ
Well the answer is YES and NO:) if i remember this could be made if you play with the attributes assign lets say on a authz profile apart from vlan and dACL Radius:Framed-IP-Address the IP that you wish and then do the same on the AD on the user in the description field again the same IP address.
It never worked for me and i searched very much that matter.
Well what i know is that this feature will present on version 2.0 this autumn :)
Hmm.. Interesting. Radius:Framed-IP-Address is normally used to assign static IP to VPN user and not so much for wired 802.1X as that would have been done by MAC address reservation on the DHCP server. Also I am not too sure how that would work if the IP that user already have is overwritten by one returned in RADIUS reply. Definitely like to hear a use case for that.