topic Re: Cisco ISE use case/provisioning laptop or computers in Network Access Control

Cisco ISE use case/provisioning laptop or computers

network_geek1979 — Fri, 04 Jun 2021 14:06:06 GMT

Folks,

We have this use case of allowing laptops which are in provisioning stages to be connected to the network. The challenge is that these laptops must reach the provisioning servers bare minimum.

The testing and layout of our network is such that if the laptop is able to authenticate itself with 802.1x it gets the desired employee access. For this, the laptop already has the employee certificate and profiles.

If this is not the case the laptop get a guest access which means internet only.

This is not the same with a laptop under provisioning i.e. it should not get Internet only. Any hints or suggestions how we can overcome this use case?

Thanks,

N!!

Re: Cisco ISE use case/provisioning laptop or computers

balaji.bandi — Fri, 04 Jun 2021 14:21:03 GMT

The testing and layout of our network is such that if the laptop is able to authenticate itself with 802.1x it gets the desired employee access. For this, the laptop already has the employee certificate and profiles.

ISE put the device in default VLAN, which you can use for device provisioning based on the device authentication here allocate Device to different VLAN as on boarding VLAN.

Hope you looking the device to connect SCCM Server ?

Re: Cisco ISE use case/provisioning laptop or computers

network_geek1979 — Fri, 04 Jun 2021 15:28:23 GMT

Thanks for the response Balaji.

The challenge we have is that the default VLAN is considered as the Guest VLAN which is internet access alone.

Unless I did not understand you well.

The other method we were thinking is using any API's? Enter the MAC of the laptop to be provisioned through some API and create a list of such MAC address. Then this policy set get a assigned VLAN for the provisioning.

Maybe any other method?

Thanks!!

Re: Cisco ISE use case/provisioning laptop or computers

balaji.bandi — Fri, 04 Jun 2021 16:51:58 GMT

Which you can use for device provisioning based on the device authentication here allocate Device to different VLAN as on boarding VLAN.

My suggestion was the same as you thinking different VLAN not the same as the default.

As you mentioned the First post the device has Certificate? yes or no.

if yes you identified the device to send the different VLAN, if no you need to MAB authentication with MAC Address based and allocated to provision VLAN as workflow.

Re: Cisco ISE use case/provisioning laptop or computers

thomas — Sun, 06 Jun 2021 23:20:29 GMT

You will need to add ACL entry(s) to your default VLAN that also permits access to your provisioning server(s).

Alternatively, some customers use open ports in physically secure rooms to provision servers.

You may also create temporary MAB exceptions if you know the devices but that's not very dynamic. I've seen this temporary access called a "voucher". See https://developer.cisco.com/codeexchange/github/repo/obrigg/Vanilla-ISE

You could login to the guest portal with an ISE internal user 'provisioning' account that allows internal access only to the necessary servers.

Many options here depending on what you find [un]acceptable.

Re: Cisco ISE use case/provisioning laptop or computers

Greg Gibbs — Mon, 07 Jun 2021 00:10:13 GMT

This is a common issue with NAC-enabled environments due to the way Windows builds work and the fact that MS never implemented a way to enable 802.1x at an early stage in the build. See a similar discussion with some suggestions in this post.

PC Imaging on NAC secured ports

Re: Cisco ISE use case/provisioning laptop or computers

network_geek1979 — Fri, 11 Jun 2021 06:37:36 GMT

Sorry again for the delayed response.

The device will have no certificate as it will still be in the provisioning state.

The MAB based is fine, but now we will have to assign MAC addresses manually.