topic Re: Unique NAC Solution using ISE in Network Access Control

Unique NAC Solution using ISE

Hemant Bharati — Tue, 11 Oct 2016 20:14:44 GMT

My customer is a Core Banking Solution provider they manage the DC service and the branches are managed by Banks.

Customer is looking for NAC solution which can be implemented in the DC without touching the branches.

I am looking for pointers on how can we use ISE to only allow domain Users on authorized machines only.

All other personal or unauthorized laptops to be blocked.

Branches have only wired network
Branches have ISR800M routers

Re: Unique NAC Solution using ISE

hslai — Thu, 13 Oct 2016 13:48:41 GMT

Use AD as the ID sources and check AD group memberships to allow only domain users. Use ISE profiling and/or ISE posture to enforce on authorized machines. If Windows, then it's possible to use EAP Chaining to check both user and machine identities via EAP-FAST. Another option is to use CWA chaining.

Re: Unique NAC Solution using ISE

Hemant Bharati — Thu, 13 Oct 2016 13:55:26 GMT

Will this work without any control on access switches? Customer wants the solution to work with end user machines only and ise being deployed at data center

The branch network is not under his control

Re: Unique NAC Solution using ISE

thomas — Mon, 17 Oct 2016 21:19:51 GMT

Please see the latest ISE Compatibility Guide for supported network access devices.

ISR 8xx have relatively poor ISE feature support on switchports beyond basic 802.1X and TrustSec:


ISR 88x, 89x Series	IOS 15.3.2T(ED)	√	!	X	!	X	X	√

If they don't own/manage the ISR800's it doesn't really matter since you will have no way to configure and manage the endpoint at the edge 8-(