I have ISE 2.6 and 3.1, but some specific networks in this segment should send to ISE3.1 Pool member
💎Solution : Using i-RULE or Policies to solve the above issue Step 1: For ISE 2.6 and ISE 3.1, pool members should already be defined. Local Traffic -> Pools -> Step 2: Under Data group, an IP source segment must be added. Step 3: i_RULE is below Parameter for each single VS should call a different i-RULE. In my case, the ISE traffic for Radius, TACACS, Guest, and Profile was prepared independently and followed exactly. i-RULE for Profiler: -------------------- when CLIENT_ACCEPTED { log local0. "Client: [IP::client_addr]" if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } { log local0. "Pool Member Partition/Name: [LB::server pool]" pool PROD-Profiler-VXX_ISE3.1 } else { pool PROD-Profiler-VXX } } i-RULE for Radius: -------------------- when CLIENT_ACCEPTED { log local0. "Client: [IP::client_addr]" if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } { log local0. "Pool Member Partition/Name: [LB::server pool]" pool PROD-RADIUS-VXX_ISE3.1 } else { pool PROD-RADIUS-VXX } } i-RULE for TACACS: -------------------- when CLIENT_ACCEPTED { log local0. "Client: [IP::client_addr]" if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } { log local0. "Pool Member Partition/Name: [LB::server pool]" pool PROD-TACACS-VXX_ISE3.1 } else { pool PROD-TACACS-VXX } } i-RULE for Guest: -------------------- when CLIENT_ACCEPTED { log local0. "Client: [IP::client_addr]" --> Logging the client IP address if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } { log local0. "Pool Member Partition/Name: [LB::server pool]" pool PROD-Guest-VXX_ISE3.1 } else { pool PROD-Guest-VXX } } Step 4: Connect the i-RULE to the VS in F5, then set the default Pool's load balancing to none. Note : For steps, see the screenshot in the attachment
Remote authentication with user specific role
Hello everyone, I was wondering how could I assign specific roles to each user I'm expecting on our systems. I know that if I create a local user with the same username as in the remote authentication server I can achive the exact thing. But we are using TACACS+ with ISE and multiple domains. If I try to create a user without the domain name it won't match and I cannot create local user with '\' like "domain\username". It would be the most convenient solution to let the support partner login as auditor on normal days but make exceptions when the **bleep** hits the fan. Of course I have multiple workarounds like making exceptions on ISE or AD but these systems are under another unit's control. Also even temorarily changing the whole remote role group's role would be a security risk. Any idea? How could I match the remote username with the local ones? What is your best practise handling the external contractors access to your systems? All the best, Bazsi
F5, Cisco ISE and EAP-TLS
Hi, We are in the process of migrating our ISE infrastructure(AAA servers) from cisco ACE to F5. We followed Craig Hyps document for the configuring F5 LB. https://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP.pdf All looks ok except EAP-TLS authentication. (PEAP user/computer works fine) In the document there is nothing special mentioned that needs to be done for TLS. I think it may be related to fragmentation but not sure. I can also add here that if we point the NAD's to the PSN directly it works. The problem is only when we use the VIP. (PEAP work with the VIP also) Do you know if something special needs to be done on the F5 for EAP-TLS to work. Any information or hint is appreciated. Thanks, Laszlo