topic I am not terribly familiar in Network Access Control

FirePower Services NAC capabilities?

willfrui88 — Mon, 11 Mar 2019 06:58:46 GMT

We are looking at implementing FirePower Services on our current ASA's. Does FirePower services have any Network Access Control capabilities? Specifically, we want to block or at least notify our resources of any non-domain joined machine that plugs into our network.

Thanks in advance.

Not directly. That would be

Marvin Rhoads — Mon, 08 Aug 2016 23:51:56 GMT

Not directly. That would be more of an ISE function.

Your discovery policy can ascertain the usernames (via integration with AD) associated with all hosts (where such association exists). You could possibly craft a policy to block connections through the firewall from hosts without an associated username but it would be a hack vs. using the product in the way its designed.

It also would not do anything to keep them off the network - only prevent their traffic from going through the firewall.

With ISE you can do exactly what you're asking - it's a common use case and what the product is designed for.

Thank you Marvin!

willfrui88 — Tue, 09 Aug 2016 15:09:46 GMT

Thank you Marvin!

I am not terribly familiar

willfrui88 — Tue, 09 Aug 2016 15:21:48 GMT

I am not terribly familiar with ISE. How would ISE report on or block an unapproved device if it plugged into our network? For example, if an unapproved device plugged into a network port at a remote site...how would ISE know immediately? Is there something on the remote site switch that would inform ISE? Thanks again.

ISE is a NAC solution that

Marvin Rhoads — Tue, 09 Aug 2016 19:54:30 GMT

ISE is a NAC solution that uses a combination of technologies to assesses devices connecting to your networks and instruct the network access devices (switches, wireless controllers, ASAs etc.) to authorize (or change the authorization) accordingly.

It uses RADIUS, 802.1x, integration with an external identity store (like AD or LDAP) along with the capabilities built into Cisco and other vendors' NADs to take action according to the context of the situation (who, what where where how etc.).

For instance, you could integrate ISE with AD and to your switches and create policies that say, for instance, if wired user connects and both the user and computer do not have the right conditions (i.e. computer belongs to domain, has required software installed, user has valid domain credentials and is a member of certain group) then their access is denied or restricted.

ISE can push an ACL to the port, switch it to a quarantined or restricted VLAN, redirect all user traffic to a registration or remediation portal, etc.