cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

147
Views
5
Helpful
1
Replies
Beginner

ISE dot1x deployment using MAR

Hi, i'm working in deployment of dot1x in my network and I need some recomendations and best practices.

Main IDEA, in authentication:


1 - Fisrt method dot1x:
- Machine authentication with AD, native suplicant (using MAR)
- User authentication with AD (PEAP). Vlan assignment based on user group

2 - MAB for devices that doesn't support dot1x. For example printers or old devices
3 - VLAN with restricted access for guest.

Some questions:

With MARS and keep in mind user mobility (user that login in other computer and ISE assign the same VLAN in any place)
- What is the recomendation in computer authentication? Assign a vlan with restricted access to permit user to login?

New computers that not joined yet to AD.
- I can use MAB to authenticate the computer and permit again this restricted VLAN that have access to do the Active Diretory join?
This option need a plus effort, load MAC address to Endpoint Group

In the assumption that the computer is already authenticated:
- With this scenario of new computers. Can the IT department authenticate to the network using for example only a domin user (MAR)? i think yes if the policy is was machine authenticate or user

If the suplicant in Windows is configured to send AD user login automatically.
Is possible to authenticate a local machine user (not domain, admin local user in the computer)?

MAR is the simple way to do it without install Anyconnect but
What are the benefits of use EAP Chaining with Anyconnect?

 

Anyone has expirence about this escenario or similar? what are the best practices and the logical sequence of authentication.

 

How would you do?

 

Thanks in advance.

CCNP R&S, CCNP Security, CCNA CyberOps
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE dot1x deployment using MAR

Im not sure there is a best practice as there are many options , its rather what meets your corporate policy requirements.

 

With MARS and keep in mind user mobility (user that login in other computer and ISE assign the same VLAN in any place)
- What is the recomendation in computer authentication? Assign a vlan with restricted access to permit user to login?

** I would recommend using a dacl , that way you dont need to rely on vlan restrictions in your network.

 

New computers that not joined yet to AD.
- I can use MAB to authenticate the computer and permit again this restricted VLAN that have access to do the Active Diretory join?This option need a plus effort, load MAC address to Endpoint Group

** Again I recommend using dacl , using dvlan can be tricky as not all endpoints know how to release and renew ip address based on vlan change, make sure you understand the endpoint behavior when it comes to dvlans.

 

In the assumption that the computer is already authenticated:
- With this scenario of new computers. Can the IT department authenticate to the network using for example only a domin user (MAR)? i think yes if the policy is was machine authenticate or user

** You can set the supplicant to authenticate based on user/computer or both

 

If the suplicant in Windows is configured to send AD user login automatically.
Is possible to authenticate a local machine user (not domain, admin local user in the computer)?

** This wont work as its local to pc and AD does not know of local managed accounts so authentication would fail .

 

 

MAR is the simple way to do it without install Anyconnect but
What are the benefits of use Eap Chaining with Anyconnect?

** eap-chaining uses eap-fast protocol which most supplicants do not support natively hence the use of Anyconnect.

1 REPLY 1
Highlighted
Cisco Employee

Re: ISE dot1x deployment using MAR

Im not sure there is a best practice as there are many options , its rather what meets your corporate policy requirements.

 

With MARS and keep in mind user mobility (user that login in other computer and ISE assign the same VLAN in any place)
- What is the recomendation in computer authentication? Assign a vlan with restricted access to permit user to login?

** I would recommend using a dacl , that way you dont need to rely on vlan restrictions in your network.

 

New computers that not joined yet to AD.
- I can use MAB to authenticate the computer and permit again this restricted VLAN that have access to do the Active Diretory join?This option need a plus effort, load MAC address to Endpoint Group

** Again I recommend using dacl , using dvlan can be tricky as not all endpoints know how to release and renew ip address based on vlan change, make sure you understand the endpoint behavior when it comes to dvlans.

 

In the assumption that the computer is already authenticated:
- With this scenario of new computers. Can the IT department authenticate to the network using for example only a domin user (MAR)? i think yes if the policy is was machine authenticate or user

** You can set the supplicant to authenticate based on user/computer or both

 

If the suplicant in Windows is configured to send AD user login automatically.
Is possible to authenticate a local machine user (not domain, admin local user in the computer)?

** This wont work as its local to pc and AD does not know of local managed accounts so authentication would fail .

 

 

MAR is the simple way to do it without install Anyconnect but
What are the benefits of use Eap Chaining with Anyconnect?

** eap-chaining uses eap-fast protocol which most supplicants do not support natively hence the use of Anyconnect.