Configure Authorization Flow for Passive ID Sessions in ISE 3.2

Available Languages

Download Options

  • PDF     (360.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (301.1 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (337.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 16, 2023
Document ID:220239

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure Authorization rules for Passive ID events to assign SGTs to the sessions.

    Background Information

    Passive identity services (Passive ID) do not authenticate users directly, but gather user identities and IP addresses from external authentication servers such as Active Directory (AD), known as providers, and then share that information with subscribers.

    ISE 3.2 introduces a new feature that allows you to configure an authorization policy to assign a Security Group Tag (SGT) to a user based on the Active Directory group membership.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco ISE 3.X
    • Passive ID integration with any provider
    • Active Directory (AD) administration
    • Segmentation (Trustsec)
    • PxGrid (Platform Exchange Grid)

    Components Used

    • Identity Service Engine (ISE) software version 3.2
    • Microsoft Active directory
    • Syslogs

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configuration

    Step 1. Enable ISE Services.

    1. On ISE, navigate to Administration > Deployment, choose the ISE node and click Edit, enable Policy Service and choose Enable Passive Identity Service. Optional, you can enable SXP and PxGrid if the passive id sessions need to be published through each one. Click Save.

    Warning: SGT details of the PassiveID login users that are authenticated by API provider cannot be published into SXP. However, the SGT details of these users can be published through pxGrid and pxGrid Cloud.

    Services EnabledServices Enabled

    Step 2. Configure the Active Directory.

    1. Navigate to Administration > Identity Management > External Identity Sources and choose Active directory then click the Add button.
    2. Enter the Join Point Name and Active Directory Domain. Click Submit.

    Add Active DirectoryAdd Active Directory

    3. A pop up appears to join ISE to the AD. Click Yes. Enter the Username and Password. Click OK.

    Continue to join ISEContinue to join ISE  Join Active DirectoryJoin Active Directory

    4. Retrieve AD groups. Navigate to Groups, click Add, then click Retrieve Groups and choose all the interested groups and click OK.

    Retrieve AD groupsRetrieve AD groups

    Retrieved GroupsRetrieved Groups

    5. Enable Authorization flow. Navigate to Advance Settings and in the section PassiveID Settings check the Authorization Flow checkbox. Click Save.

    Enable Authorization FlowEnable Authorization Flow

    Step 3. Configure Syslog provider.

    1. Navigate to Work Centers > PassiveID > Providers, choose Syslog Providers, click Add and complete the information. Click Save

    Caution: In this case, ISE receives the syslog message from a successful VPN connection in an ASA, but this document does not describe that configuration.

    Configure Syslog providerConfigure Syslog provider

    1. Click Custom Header. Paste the sample syslog and use a Separator or Tab to find the device hostname. If it is correct, the Hostname appears. Click Save

    Configure Custom HeaderConfigure Custom Header

    Step 4. Configure Authorization rules

    1. Navigate to Policy > Policy Sets. For this case, it uses the Default policy. Click the Default policy. In the Authorization Policy, add a new rule. In the PassiveID policies, ISE has all the providers. You can combine this one with a PassiveID group. Choose Permit Access as Profile, and in Security Groups choose the need it SGT.

    Configure Authorization RulesConfigure Authorization Rules

    Verify

    Once ISE receives the Syslog, you can check the Radius Live Logs to see Authorization Flow. Navigate to Operations > Radius > Live logs.

    In the logs you can see the Authorization event. This one contains the Username, Authorization Policy and Security Group Tag associated with it.

    Radius Live LogRadius Live Log

    To check more details, click the Detail Report. Here you can see the Authorize-Only flow that evaluates the Policies to assign the SGT.

    Radius Live log ReportRadius Live log Report

    Troubleshoot

    For this case, it uses two flows; the passiveID sessions and the Authoriation flow. To enable the debugs, navigate to Operations > Troubleshoot > Debug Wizard Debug Log Configuration, then choose the ISE node.

    For the PassiveID, enable the next components to DEBUG level:

    • PassiveID

    To check the logs, based on the Passive ID provider, the file to check for this scenario, you need to review the file passiveid-syslog.log, for the other providers:

    • passiveid-agent.log
    • passiveid-api.log
    • passiveid-endpoint.log
    • passiveid-span.log
    • passiveid-wmilog

    For the Authorization Flow, enable the next components to DEBUG level:

    • policy-engine
    • prrt-JNI

    Example:

    Debugs enabledDebugs enabled

    Revision History

    Revision Publish Date Comments
    1.0
    17-Feb-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Ruben De La Vega
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products