https://community.cisco.com/t5/network-access-control/machine-authentication-for-ios-routers-switches/m-p/3598306#M519470 <HTML><HEAD></HEAD><BODY><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;"><SPAN style="font-style: inherit; font-family: arial, helvetica, sans-serif;">Hi team,</SPAN></P><P></P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;"><SPAN style="font-style: inherit; font-family: arial, helvetica, sans-serif;">I’m working with a customer who has a requirement to authenticate routers against ISE using digital certificates.</SPAN></P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;"><SPAN style="font-style: inherit; font-family: arial, helvetica, sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #58585b; font-family: arial, helvetica, sans-serif; font-size: 15px; font-style: inherit;">They want to ensure that any network devices such as IOS routers, switches are subjected to machine </SPAN><SPAN style="color: #58585b;"><SPAN style="font-size: 15px; font-style: inherit;">authentication using identity certificates pre-installed on the device, when these devices are deployed to </SPAN><SPAN style="font-size: 15px;">their network</SPAN><SPAN style="font-size: 15px; font-style: inherit;">.</SPAN></SPAN></P><P><SPAN style="color: #58585b; font-style: inherit; font-size: 15px;"><BR /></SPAN></P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;"><SPAN style="font-style: inherit; font-family: arial, helvetica, sans-serif;">In essence, the routers and switches in their deployment should authenticate themselves before being granted network access.</SPAN></P><P></P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;"><SPAN style="font-style: inherit; font-family: arial, helvetica, sans-serif;">This requirement of theirs stems from the fact that the entire solution is being designed for the defense vertical.</SPAN></P><P></P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;"><SPAN style="font-style: inherit; font-family: arial, helvetica, sans-serif;">Any insight on how this requirement can be met; ISE or otherwise will be much appreciated !</SPAN></P></BODY></HTML> Wed, 29 Nov 2017 04:03:01 GMT susreeni 2017-11-29T04:03:01Z https://community.cisco.com/t5/network-access-control/machine-authentication-for-ios-routers-switches/m-p/3598306#M519470 <HTML><HEAD></HEAD><BODY><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;"><SPAN style="font-style: inherit; font-family: arial, helvetica, sans-serif;">Hi team,</SPAN></P><P></P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;"><SPAN style="font-style: inherit; font-family: arial, helvetica, sans-serif;">I’m working with a customer who has a requirement to authenticate routers against ISE using digital certificates.</SPAN></P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;"><SPAN style="font-style: inherit; font-family: arial, helvetica, sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #58585b; font-family: arial, helvetica, sans-serif; font-size: 15px; font-style: inherit;">They want to ensure that any network devices such as IOS routers, switches are subjected to machine </SPAN><SPAN style="color: #58585b;"><SPAN style="font-size: 15px; font-style: inherit;">authentication using identity certificates pre-installed on the device, when these devices are deployed to </SPAN><SPAN style="font-size: 15px;">their network</SPAN><SPAN style="font-size: 15px; font-style: inherit;">.</SPAN></SPAN></P><P><SPAN style="color: #58585b; font-style: inherit; font-size: 15px;"><BR /></SPAN></P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;"><SPAN style="font-style: inherit; font-family: arial, helvetica, sans-serif;">In essence, the routers and switches in their deployment should authenticate themselves before being granted network access.</SPAN></P><P></P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;"><SPAN style="font-style: inherit; font-family: arial, helvetica, sans-serif;">This requirement of theirs stems from the fact that the entire solution is being designed for the defense vertical.</SPAN></P><P></P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;"><SPAN style="font-style: inherit; font-family: arial, helvetica, sans-serif;">Any insight on how this requirement can be met; ISE or otherwise will be much appreciated !</SPAN></P></BODY></HTML> Wed, 29 Nov 2017 04:03:01 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-for-ios-routers-switches/m-p/3598306#M519470 susreeni 2017-11-29T04:03:01Z https://community.cisco.com/t5/network-access-control/machine-authentication-for-ios-routers-switches/m-p/3598307#M519471 <HTML><HEAD></HEAD><BODY><P>I dont get why the customer want this . This devices are usually add in to ise . In network device list . And for some reason authentication fail it will it will DENY ACCESS. If NAD is in deny access all endpoints will not able to have access. I think this is not recommend .And usually all Radius and Tacacs are included in triple AAA model .</P><P>Here in community we have some gurus and they will answer you but as i mention this is not good .</P></BODY></HTML> Wed, 29 Nov 2017 07:54:00 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-for-ios-routers-switches/m-p/3598307#M519471 ognyan.totev 2017-11-29T07:54:00Z https://community.cisco.com/t5/network-access-control/machine-authentication-for-ios-routers-switches/m-p/3598308#M519472 <HTML><HEAD></HEAD><BODY><P>Are you talking about NEAT. Please take a look at this doc.</P><P><A href="https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html" title="https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html">NEAT Configuration Example with Cisco Identity Services Engine - Cisco</A></P><P></P><P>-Krishnan</P></BODY></HTML> Fri, 01 Dec 2017 06:38:07 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-for-ios-routers-switches/m-p/3598308#M519472 kthiruve 2017-12-01T06:38:07Z https://community.cisco.com/t5/network-access-control/machine-authentication-for-ios-routers-switches/m-p/3598309#M519473 <HTML><HEAD></HEAD><BODY><P>Hi Krishnan,</P><P></P><P>NEAT isn't the scenario that the customer is looking at.</P><P>From what I understand, NEAT is a 802.1x scenario where both the authenticator (IOS switch) as well as the supplicant mutually authenticate each other rather than only the supplicant being authenticated, which is normally the case.</P><P></P><P>The requirement is simply one where IOS routers, IOS switches themselves will be supplicants to the network with certificates being their 802.1x credentials (Perhaps EAP-TLS needs to be the 802.1x method?).</P><P></P><P>Regards,</P><P></P><P>Sundar</P></BODY></HTML> Fri, 01 Dec 2017 06:49:33 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-for-ios-routers-switches/m-p/3598309#M519473 susreeni 2017-12-01T06:49:33Z https://community.cisco.com/t5/network-access-control/machine-authentication-for-ios-routers-switches/m-p/3598310#M519474 <HTML><HEAD></HEAD><BODY><P>You are talking about NDAC that establishes Trustsec domain boundary.</P><P>Here is the doc for that explains nicely all about NDAC</P><P><A href="https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/how_to_intro_macsec_ndac_guide.pdf" title="https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/how_to_intro_macsec_ndac_guide.pdf">https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/how_to_intro_macsec_ndac_guide.pd…</A></P><P></P><P>-Krishnan</P></BODY></HTML> Fri, 01 Dec 2017 07:09:09 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-for-ios-routers-switches/m-p/3598310#M519474 kthiruve 2017-12-01T07:09:09Z