Cisco ISE dial-in attribute check

User’s dial-in permissions during authentication or query can be used to set network access permission to be explicitly allowed or denied. This can be used as a simple way to distinguish between user and service accounts when it comes to network access privileges.  Cisco ACS has this identification process handled with a simple check box under Users and Identity Stores > Active Directory.

Cisco ACS dial-in check

However when it comes to Cisco ISE it is a fairly cumbersome process so if you are migrating from Cisco ACS  some prerequisites will have to take place.

Components:
Cisco ACS: 5-5-0-46-4
Cisco ISE: 2.0.0.306

First, make sure all User IDs have dial-in attribute hard set to Allow access or Deny access. Cisco ACS is more tolerant with this attribute properties but Cisco ISE will not interpret correctly any other setting and you will not get a match on Authorization policy.

Next, we need to successfully join our ISE node to Active Directory (fortunately this process is fairly straight forward) and add new Attribute under Users and Identity Stores > Active Directory > Attributes > Add > Select Attributes From Directory.

Cisco ISE Attribute setting

In order to retrieve available attributes you will need to enter valid User ID and select Retrieve Attributes…

msNPAllowDialin attribute

Select msNPAllowDialin and OK. Save changes.

Now once the attribute is defined we can reference it in the Authorization Policy. Add a new condition to the policy line under active directory attributes and set it equal to TRUE.

Cisco ISE Attribute selection

Takeaways:

  • Test conditions before production deployment.
  • When migrating from ACS to ISE do not forget about dial-in attribute. Not checking for it may  open uncontrolled access through your network boundaries.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar