User’s dial-in permissions during authentication or query can be used to set network access permission to be explicitly allowed or denied. This can be used as a simple way to distinguish between user and service accounts when it comes to network access privileges. Cisco ACS has this identification process handled with a simple check box under Users and Identity Stores > Active Directory.
However when it comes to Cisco ISE it is a fairly cumbersome process so if you are migrating from Cisco ACS some prerequisites will have to take place.
Components:
Cisco ACS: 5-5-0-46-4
Cisco ISE: 2.0.0.306
First, make sure all User IDs have dial-in attribute hard set to Allow access or Deny access. Cisco ACS is more tolerant with this attribute properties but Cisco ISE will not interpret correctly any other setting and you will not get a match on Authorization policy.
Next, we need to successfully join our ISE node to Active Directory (fortunately this process is fairly straight forward) and add new Attribute under Users and Identity Stores > Active Directory > Attributes > Add > Select Attributes From Directory.
In order to retrieve available attributes you will need to enter valid User ID and select Retrieve Attributes…
Select msNPAllowDialin and OK. Save changes.
Now once the attribute is defined we can reference it in the Authorization Policy. Add a new condition to the policy line under active directory attributes and set it equal to TRUE.
Takeaways:
- Test conditions before production deployment.
- When migrating from ACS to ISE do not forget about dial-in attribute. Not checking for it may open uncontrolled access through your network boundaries.