topic Re: Cisco ISE along with SCCM in Network Access Control

Cisco ISE along with SCCM

Amr Moussa — Wed, 25 May 2022 16:36:44 GMT

We have already Microsoft SCCM and we have Cisco ISE, our design now is built on MAB authentication, but we need now to move to DOT1X, the problem we see is that we use SCCM to deploy Windows images to the new machines so they will be just a bare metal without any system on them, so how can we do it without using MAB because MAB is less secure and it can be lead to MAC spoofing.

Re: Cisco ISE along with SCCM

ahollifield — Wed, 25 May 2022 20:10:30 GMT

Use SCCM to push certificates to your managed Windows machines. Use those certificates to perform EAP-TLS authentication via 802.1X to ISE.

Re: Cisco ISE along with SCCM

Amr Moussa — Wed, 25 May 2022 20:18:37 GMT

I am not taking about managed Windows machines, I am asking about the unmanaged machines that doesn't have a Windows system yet and we are need sccm to push and deploy Windows to them.

Re: Cisco ISE along with SCCM

ahollifield — Wed, 25 May 2022 23:06:57 GMT

Got it, so you are talking about provision new machines that do not have any supplicant configuration. This is a classic chicken and egg scenario. You have a couple of options here:

Configure specialized "build ports" inside of locked room for example that do not have any authentication enabled. Build PC, remove from room, and deploy.
Continue to use MAB with a whitelist. Place MAC address of PC in whitelist. Once SCCM build complete, remove MAC address from Whitelist. Always leave whitelist empty except during builds.
Deploy a default authz that only allows access to SCCM. If 802.1x succeeds: full access. If 802.1X fails: dACL/pre-auth/named ACL that only allows DHCP, DNS, and access to SCCM.

Re: Cisco ISE along with SCCM

Amr Moussa — Wed, 25 May 2022 23:16:06 GMT

I think your first solution may be applicable but it will cause some confusion because now we will have a vulenrabilbe room that if any one know about it can access our network.

for the other solution (Deploy a default authz that only allows access to SCCM. If 802.1x succeeds: full access. If 802.1X fails: dACL/pre-auth/named ACL that only allows DHCP, DNS, and access to SCCM.) this is not enough because those machines are gonna join the domain so they will ne access also to the domain controllers and this will be a very dangerous something to leave.

Re: Cisco ISE along with SCCM

ahollifield — Wed, 25 May 2022 23:24:04 GMT

Well you have to make some concessions somewhere because you cannot do 802.1X without a proper supplicant configuration or credentials. You won't get your supplicant configuration or credentials until you can talk to SCCM and AD.

Another option would be to do something like InTune or MS Autopilot and join the new machine to a guest network for example and provision over the internet. Once provisioning has taken place, then connect the machine to your corporate network as normal.

If an unauthorized user can access a locked/secured room then that is a physical security problem, not a NAC problem.

What is wrong with the whitelist MAB idea? If the whitelist is normally empty any unknown MAC address would be denied.

Re: Cisco ISE along with SCCM

Greg Gibbs — Wed, 25 May 2022 23:25:41 GMT

See a similar discussion with some additional detail and options here:

PC Imaging on NAC secured ports

Re: Cisco ISE along with SCCM

Amr Moussa — Wed, 25 May 2022 23:39:39 GMT

the only problem with the MAB idea is the headache, we need to add and remove the MAC on any deployment.