Cisco Cisco Identity Services Engine 1.2 Guía Para Resolver Problemas
Here is the traffic flow, as illustrated in the network diagram:
A Microsoft Windows 7 user connects to the switch and performs 802.1x authentication.
1.
The switch uses the ISE as the Authentication, Authorization, and Accounting (AAA) server. The
Dot1x Full Access authorization rule is matched and full network access is granted (DACL:
PERMIT_ALL).
Dot1x Full Access authorization rule is matched and full network access is granted (DACL:
PERMIT_ALL).
2.
The user tries to connect with the trusted network and violates the Snort rule.
3.
As a result, Snort sends an alert to the pxLog application (via syslog).
4.
The pxLog application performs verification against its local database. It is configured in order to
catch syslog messages sent by Snort and extract the IP address of the attacker. Then it uses pxGrid to
send a request towards the ISE in order to quarantine the attacker IP address (the ISE is a pxGrid
controller).
catch syslog messages sent by Snort and extract the IP address of the attacker. Then it uses pxGrid to
send a request towards the ISE in order to quarantine the attacker IP address (the ISE is a pxGrid
controller).
5.
The ISE re−evaluates its authorization policy. Because the endpoint is quarantined, the
Session:EPSStatus EQUALS Quarantine condition is met and a different authorization profile is
matched (Dot1x Quarantine). The ISE sends a CoA Terminate to the switch in order to terminate the
session. This triggers the re−authentication and a new Downloadable ACL (DACL)
(PERMIT_ICMP) is applied, which provides the limited network access to the end user.
Session:EPSStatus EQUALS Quarantine condition is met and a different authorization profile is
matched (Dot1x Quarantine). The ISE sends a CoA Terminate to the switch in order to terminate the
session. This triggers the re−authentication and a new Downloadable ACL (DACL)
(PERMIT_ICMP) is applied, which provides the limited network access to the end user.
6.
At this stage, the administrator might decide to unquarantine the endpoint. This can be achieved via
the GUI of pxLog. Again, the pxGrid message towards the ISE is sent.
the GUI of pxLog. Again, the pxGrid message towards the ISE is sent.
7.
The ISE performs a similar operation as in Step 6. This time, the endpoint is no longer quarantined
and full access is provided.
and full access is provided.
8.