topic Re: Identity Services Engine Remediation or Quarantine VLAN Help in Network Access Control

Identity Services Engine Remediation or Quarantine VLAN Help

Alex Pfeil — Wed, 16 Mar 2022 19:48:07 GMT

We currently have devices being removed from AD after a certain period of time and removed from ISE after a certain period of time. Sometimes, these devices need to be re-added to the domain and ISE. However, if they are not in ISE and not in the domain, they cannot get on the network to get back onto the domain.

Our current workaround for wireless devices is to get on our guest network and then VPN and re-join to the domain.

The wired process is to remove 802.1X and MAB from the switchport configuration, re-join the computer to the domain, and then re-add the configuration to the switch.

I would like to have an access-list that would get applied to a failed device which would allow it to be re-joined to the network without posing a high risk to the network. Does anybody have a security concern for the access-lists that are recommended today?

Thanks,

Alex

Re: Identity Services Engine Remediation or Quarantine VLAN Help

Rob Ingram — Wed, 16 Mar 2022 20:31:27 GMT

@Alex Pfeil instead of removing dot1x from the switch port config you could use a CWA to force a user to be redirected to a Web portal to login, if successful push down a DACL which permits limited access to the network to rejoin the domain.

Re: Identity Services Engine Remediation or Quarantine VLAN Help

Alex Pfeil — Thu, 17 Mar 2022 12:17:37 GMT

That sounds like a great solution! I will take a look into it.