topic ISE Multi-session User Login, NAC Web Agent and 2FA Query in Network Access Control

ISE Multi-session User Login, NAC Web Agent and 2FA Query

Abhishek Kumar — Fri, 03 Feb 2017 12:04:16 GMT

There are couple of questions that I need confirmation for

Same user logged in from multiple locations at the same time, wired/wireless (dot1x) or via VPN. I know there isn’t anything inbuilt in ISE (?) to alert on user logged in from more than 1 location. We can run active session report, export it and do the co-relation separately.

Q: Can StealthWatch report this easily? How can we stop/alert (the admin) if this happens?

A customer has 50% of its workforce as 3rd parties and they need to posture every endpoint. What would be the best solution for this. NAC Web Agent I would assume. Does that also need admin rights for the Web Agent to be installed? I know they cannot remediate with Web Agent but is there any other option other than using AC?
ISE support of 2FA. I guess we do that via ASA today with multi authentications options. Is there any other way?

Many thanks,

Abhi

Re: ISE Queries

Charlie Moreton — Fri, 03 Feb 2017 12:42:07 GMT

Abhishek,

1. This is easily accomplished with ISE 2.2. Navigate to Administration > System > Settings > Max Sessions.

2. This is covered in the Clean Access Manager Installation and Configuration Guide.

3. You can perform both authentications of the Two-Factor Authentication flow within ISE. For example using RSA as the second factor as found Here in the Admin Guide.

Re: ISE Queries

Abhishek Kumar — Fri, 03 Feb 2017 14:42:20 GMT

Brilliant, thanks Charles.

Re: ISE Multi-session User Login, NAC Web Agent and 2FA Query

kthiruve — Fri, 03 Feb 2017 18:35:36 GMT

Hi Abhishek,

Few things to remember,

Point 1 above shows how it can be done. Again this is supported in ISE 2.2. However, I dont think we generate alerts on these.

Point 2 above, CCA is an older solution.I would suggest going the ISE route. In ISE 2.2, we have a way to do posture with no URL-redirect that can be used in 3rd party environments. You need Anyconnect for that. Anyconnect has a headless mode where this can be installed without UI. Anyconnect also supports web agent that could be used for non-admin.

For point 3, apart from RSA secure ID, any solution that supports RFC 2865 compliant token server is supported. EAP-chaining can also be considered for two step verification. You can use Symantec VIP with guest for two factor or SAML 2.0 SSO with form-auth. The compatibility guide lists the external ID servers we support

Cisco Identity Services Engine Network Component Compatibility, Release 2.2 - Cisco

ISE Design & Integration Guides talks about Symantec VIP.

Thanks

Krishnan

Re: ISE Multi-session User Login, NAC Web Agent and 2FA Query

Abhishek Kumar — Mon, 06 Feb 2017 10:42:22 GMT

Thanks Krish! Much appreciated..