Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
3
Helpful
4
Replies

Machine authentication for IOS routers, switches

Go to solution
susreeni
Cisco Employee
Cisco Employee

‎11-28-2017 08:03 PM

Hi team,

I’m working with a customer who has a requirement to authenticate routers against ISE using digital certificates.


They want to ensure that any network devices such as IOS routers, switches are subjected to machine authentication using identity certificates pre-installed on the device, when these devices are deployed to their network.


In essence, the routers and switches in their deployment should authenticate themselves before being granted network access.

This requirement of theirs stems from the fact that the entire solution is being designed for the defense vertical.

Any insight on how this requirement can be met; ISE or otherwise will be much appreciated !

1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to susreeni

‎11-30-2017 11:09 PM

You are talking about NDAC that establishes Trustsec domain boundary.

Here is the doc for that explains nicely all about NDAC

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/how_to_intro_macsec_ndac_guide.pd…

-Krishnan

View solution in original post

4 Replies 4

Go to solution
ognyan.totev
Level 5
Level 5

‎11-28-2017 11:54 PM

I dont get why the customer want this . This devices are usually add in to ise . In network device list . And for some reason authentication fail it will it will DENY ACCESS. If NAD is in deny access all endpoints will not able to have access. I think this is not recommend .And usually all Radius and Tacacs are included in triple AAA model .

Here in community we have some gurus and they will answer you but as i mention this is not good .

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎11-30-2017 10:38 PM

Are you talking about NEAT. Please take a look at this doc.

NEAT Configuration Example with Cisco Identity Services Engine - Cisco

-Krishnan

Go to solution
susreeni
Cisco Employee
Cisco Employee
In response to kthiruve

‎11-30-2017 10:49 PM

Hi Krishnan,

NEAT isn't the scenario that the customer is looking at.

From what I understand, NEAT is a 802.1x scenario where both the authenticator (IOS switch) as well as the supplicant mutually authenticate each other rather than only the supplicant being authenticated, which is normally the case.

The requirement is simply one where IOS routers, IOS switches themselves will be supplicants to the network with certificates being their 802.1x credentials (Perhaps EAP-TLS needs to be the 802.1x method?).

Regards,

Sundar

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to susreeni

‎11-30-2017 11:09 PM

You are talking about NDAC that establishes Trustsec domain boundary.

Here is the doc for that explains nicely all about NDAC

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/how_to_intro_macsec_ndac_guide.pd…

-Krishnan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents