topic ISE profiling need answer in Network Access Control

ISE profiling need answer

yong khang NG — Mon, 11 Mar 2019 01:34:54 GMT

Hi Forumers'

I looking some answer regarding ISE profiling.

I able to use ISE to test 802.1x wireless connection to Active Directory External indentity store.

Somehow for ISE, after enable the profiling configuration on deployment nodes, as long as the device with proper authentication and get into the network will then shown all the MAC address that can be found on Identity Management > identities> endpoints

My question is:

01. Can i done 802.1x authentication without using external identity stores? So far i only test on using Active Directory but not with ISE identities>users.

02. If in a environment that not using external identity stores for authentication, how do i able to know the MAC address is belonging to WHOM?

Thanks

ISE profiling need answer

Tarik Admani — Sat, 26 Nov 2011 16:46:16 GMT

Please see my answers inline:

I looking some answer regarding ISE profiling.

I able to use ISE to test 802.1x wireless connection to Active Directory External indentity store.

My question is:

01. Can i done 802.1x authentication without using external identity stores? So far i only test on using Active Directory but not with ISE identities>users.

Here is a guide that has the protocols that are supported by the ISE internal user database:

http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_man_id_stores.html#wpxref86403

02. If in a environment that not using external identity stores for authentication, how do i able to know the MAC address is belonging to WHOM?

You will not know which mac address belongs to which user, you will have to place your users in a specific group and have your authorization profile the devices based on the endpoint group and user group condition before they are granted access to the network. Endpoints only appear as the device type after they meet the certaintity that you have specified.

I hope this helps,

Tarik Admani

Thanks

ISE profiling need answer

yong khang NG — Mon, 28 Nov 2011 05:09:39 GMT

Hi Tarik,

Thanks for reply.

quick one

1. is ISE only design to support 802.1x? can it support on WPA2+PSK normal wireless authentication?

thanks

Noel

ISE profiling need answer

Tarik Admani — Mon, 28 Nov 2011 07:18:16 GMT

WPA-PSK terminates at the controller, there is no radius since the key has to match on the client and the controller. There isnt a yes or a no to this questions since the design of WPA-PSK doesnt utiilize a backend service.

ISE profiling need answer

yong khang NG — Wed, 30 Nov 2011 04:38:25 GMT

Thanks for the reply, your statement make me clear now

thanks again

ISE profiling need answer

JHILL2 — Wed, 01 Aug 2012 21:37:37 GMT

Hi,

I want to resurrect this thread

If we have Use Cases that require WPA-PSK, will we be forced to point this traffic through the legacy NAC in-band appliances for proper authorization?

The devices that use WPA-PSK are legacy devices that don't support 802.1x, but we'll need a way to ensure that the devices connecting to the WPA-PSK enabled SSID are approved devices.

So, in a nutshell, the devices for this Use Case will have to be profiled and authorized based on device type or MAC address.

Any other ideas out there besides NAC?

Re: ISE profiling need answer

Tarik Admani — Thu, 02 Aug 2012 00:46:38 GMT

You can use ISE. It allows control using a web portal so users can log in, authenticate, and you can distribute the agent for device posture. In this case you don't have to worry about Psk, you can use l3 web authentication and radius. You no longer have to place a device inline like you did in the Nac days. When a user is not compliant, ISE will send redirect acls to controller, where all traffic is redirected, then it uses coa to lift the redirection policy once the endpoint is compliant.

Thanks,

Sent from Cisco Technical Support iPad App

Re: ISE profiling need answer

JHILL2 — Thu, 02 Aug 2012 05:05:26 GMT

This means that I would have to use port 80. I will not have that option with these endpoints.

ISE profiling need answer

Tarik Admani — Thu, 02 Aug 2012 05:11:16 GMT

Lets take a step back, do you have a mix of dot1x capable and not dot1x machines?

Keep in mind that layer 3 authentication goes through the controller, so essentially the controller is what allows the web authentication go through and hit the ise node.

I dont understand why you would need port 80, the authentication is done through port 8443 so it should bypass any wccp or web related access-lists.

Thanks,

Tarik Admani
*Please rate helpful posts*

ISE profiling need answer

JHILL2 — Thu, 02 Aug 2012 14:05:06 GMT

Thanks Tarik,

So even if the port is 8443, these endpoints cannot open a browser. Think of the endpoints being more like a wireless barcode scanner or a wireless printer.

ISE profiling need answer

Tarik Admani — Thu, 02 Aug 2012 14:42:29 GMT

Thanks for the clarification James.

You can then use mac filtering in order to authenticate the devices. You can use dhcp options, and the MAC vendor in order to build a policy and dynamically assign these devices to a vlan.

I hope that helps.

Tarik Admani
*Please rate helpful posts*