topic Re: Dot1x without external identity store in Network Access Control

Dot1x without external identity store

DamianRCL — Wed, 27 Mar 2024 11:29:00 GMT

Hello,

Is it possible to implement Dot1x without AD or LDAP integration? If so, what are some ways it can be done?

Thank you.

Re: Dot1x without external identity store

Rob Ingram — Wed, 27 Mar 2024 11:41:00 GMT

@DamianRCL you can perform 802.1X using EAP-TLS certificates without an External Identity Source.

Though, typically if using certificates issued from an Internal CA you would authenticate the certificates and then optionally perform a lookup against AD for associated attributes, if required.

You could use a local account on ISE, I would not recommend it as it's not scalable solution.

Re: Dot1x without external identity store

MHM Cisco World — Wed, 27 Mar 2024 11:43:12 GMT

If you have radius server then sure you can use it local DB for auth the endpoint

MHM

Re: Dot1x without external identity store

DamianRCL — Wed, 27 Mar 2024 12:10:35 GMT

All good points. Thanks.

Is it also possible to use profiling probe results for authentication and authorization?

Re: Dot1x without external identity store

MHM Cisco World — Wed, 27 Mar 2024 12:16:33 GMT

ISE can use MAB or chap' and you can use profile.

MHM

Re: Dot1x without external identity store

Karsten Iwen — Wed, 27 Mar 2024 12:17:01 GMT

Yes, you can. But perhaps you better describe what your goal is that you want to achieve?

Re: Dot1x without external identity store

Rob Ingram — Wed, 27 Mar 2024 12:27:07 GMT

@DamianRCL use MAB or DOT1X for authentication and then you can use the Profiling attributes as conditions in authorisation rules, assuming you have the licensing (requires the Advantage license) for it.

Re: Dot1x without external identity store

DamianRCL — Wed, 27 Mar 2024 12:29:09 GMT

The network I'm working on uses LDAP. I would use that as an external ID store, but there would be too many hurdles (people hurdles not technical). Currently port security is performed manually, which is an administrative chore. My goal is to implement 802.1x in a secure way without integrating with LDAP. Let me know if you need more details. Thanks.

Re: Dot1x without external identity store

Rob Ingram — Wed, 27 Mar 2024 12:41:53 GMT

@DamianRCL IMO, it doesn't seem practical to not integrate with LDAP if you have it. You will also need to consider the configuration of the endpoint supplicants configuration and how they will be configured, in an AD environment this can be deployed centrally.

If you still decide not to use an External Identity Source then EAP-TLS is the most secure method, you could use the ISE CA and onboard the devices, where the users will enrol and receive a certificate. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

Re: Dot1x without external identity store

DamianRCL — Wed, 27 Mar 2024 12:51:08 GMT

Duly noted, Rob. My intent was to roll this out while limiting the involvement of other silos, but it appears that won't be possible. I'll shoot for LDAP integration when the time comes.

Thanks!

Re: Dot1x without external identity store

thomas — Wed, 27 Mar 2024 14:54:51 GMT

Yes, I demonstrated this in

▷ User & Endpoint Custom Attributes 2022-09-06

05:01 Defining User Custom Attributes for ISE Internal Users
06:10 Defining Endpoint Custom Attributes and their Common Uses
07:36 Demo: Creating User Custom Attributes
10:41 Demo: ISE 802.1X Policy Review, and Authentication

Re: Dot1x without external identity store

DamianRCL — Thu, 28 Mar 2024 11:16:44 GMT

Thanks, Thomas. I'll be sure to take a look!

Re: Dot1x without external identity store

Pulkit Mittal — Thu, 28 Mar 2024 11:26:09 GMT

Implementing 802.1X (Dot1x) without integrating with Active Directory (AD) or LDAP is possible in Cisco Identity Services Engine (ISE). Here are some ways to achieve this:

Local Identity Store:
- Local identity store within ISE allows you to create and manage user accounts directly within ISE.
- You can define users and their credentials (username/password) directly in ISE.
- While this approach is feasible, it’s not recommended for large-scale deployments due to scalability and management challenges.
Certificate-Based Authentication:
- Instead of relying on AD or LDAP for user authentication, consider using certificate-based authentication.
- Configure ISE to accept client certificates (such as EAP-TLS) for authentication.
- Clients present their certificates during the 802.1X process, and ISE validates them against its local certificate store or a trusted Certificate Authority (CA).
Guest Services:
- If you’re implementing Dot1x for guest access, ISE can handle guest authentication without AD or LDAP integration.
- Set up a guest portal in ISE, create guest accounts, and allow access based on credentials provided during the guest registration process.
Machine Authentication (MAB):
- While not true Dot1x, Machine Authentication Bypass (MAB) allows devices to authenticate based on their MAC addresses.
- Configure MAB policies in ISE to allow certain devices (e.g., printers, IP phones) without relying on AD or LDAP.
Custom Identity Sources:
- ISE allows you to define custom identity sources beyond AD and LDAP.
- You can create custom identity sources using RADIUS, RSA SecurID, or other methods.
- While not common, it provides flexibility for specific use cases.
Local Web Authentication:
- For scenarios where you need to authenticate users via a captive portal (web page), ISE can perform local web authentication.
- Users provide credentials directly to ISE via the web portal.

Remember that while these methods allow Dot1x without AD or LDAP, they have limitations. Consider your specific requirements, scalability, and security needs when choosing the appropriate approach for your deployment.

If you find this useful, please mark it helpful and accept the solution.

Re: Dot1x without external identity store

DamianRCL — Thu, 28 Mar 2024 11:46:50 GMT

Thanks for this, Pulkit. This places things into perspective very nicely.

Re: Dot1x without external identity store

Karsten Iwen — Thu, 28 Mar 2024 11:52:58 GMT

But always keep in mind that ChaptGPT often gives inaccurate answers.

Re: Dot1x without external identity store

DamianRCL — Thu, 28 Mar 2024 16:57:16 GMT

So, I might be interested in using the local ID store, since I have no more than 150 wired users at an given time. The upfront work of putting in those users would still be better than manually configuring ports.

I see "External Identity Sources" under "Administration," but where is the local identity store. Also, if going this route, how does it work? Would a user have to put in credentials twice, once for ISE, then again for LDAP?

Edit:

I've done some digging and learned where the local users are stored. It would appear I can have the internal users leverage LDAP for passwords. This is helpful. A question that remains is, how does the "Internal Users" option in Policy Sets tie back to the users I've added to network access users?