topic Re: Cisco ISE 2.2 in Network Access Control

Cisco ISE 2.2

jm.virtual01 — Mon, 11 Mar 2019 08:53:40 GMT

Hey,

we have cisco ise 2.2, we have some critical devices in the network and we have profiled them. Everything is working fine. As the default nature for authentication on ise, if the end device cannot pass the authentication then it will go to the Guest VLAN. And in the Guest VLAN, the endpoint can go on the internet. But this is common for all unauthenticated end devices.

But I want to configure it little different way for the critical devices. If the critical devices fail to authenticate then it will go on Guest VLAN that's okay but the critical devices should not go on the internet. How can I block only a few unauthenticated devices to get internet access from Guest VLAN?

Thanks in Advance!

Re: Cisco ISE 2.2

Jason Kunst — Fri, 11 Jan 2019 02:01:04 GMT

You would need to somehow identify those devices

Simplest way would be to create an endpoint group with their Mac addresses and create a rule to say:
If mab and critics devices then return a different ACL that doesn’t allow internet

Re: Cisco ISE 2.2

jm.virtual01 — Fri, 11 Jan 2019 02:04:30 GMT

I have already profiled them and it is working fine. But I do not know, how can I block it to get internet access from guest VLAN once the authentication failed for those endpoints.

Re: Cisco ISE 2.2

Arne Bier — Fri, 11 Jan 2019 02:10:31 GMT

I think this becomes a L3 issue and no longer authentication. If you had TrustSec then it might be trivial because you could assign an SGT to this class of user and enforce a separate ACL on the Firewall.

Perhaps the pragmatic approach is to put this class of user on a separate VLAN? At least then you have an IP source address range which you can use in your firewall/ACL rule set to block internet. It would be the only identifier of this class of user that you have.

A third technique could be to force users through a proxy and catch them there via another round of authentication. But that is another world of pain that I assume you want to avoid.

Re: Cisco ISE 2.2

Jason Kunst — Fri, 11 Jan 2019 17:09:14 GMT

@Arne Bier why wouldn't a different ACL on MAC endpoint group work? Agree SGT is the way to go but if its only a small amount of users might not be worth the effort.VLAN change is crappy but there are already port macros..

https://community.cisco.com/t5/identity-services-engine-ise/solution-for-change-of-vlan-for-wired-guests-using-smart-port/td-p/3432614

Re: Cisco ISE 2.2

Arne Bier — Fri, 11 Jan 2019 20:51:19 GMT

Ah yes of course. You’re right @Jason Kunst a dynamic NAS ACL would take care of it. The client would have a default gateway, but the NAS ACL (e.g. WLC ACL ) acts as a L2 firewall and you could allow only RFC1918 subnets. That would effectively block internet