Solved: ACS for Device authentication

paulhughes5 · ‎09-16-2011

Hello

I am looking to deploy a NAC device in our office and currently have an ACS server that handles wireless authentication.

I would like to know if the ACS is capable of authenticating users on a LAN with both 802.1x and device detection (such as MAC address and ID)?

If I can do the latter how do you set that up on an ACS?

Thanks in advance

Paul

Nicolas Darchis · ‎09-19-2011

As mentioned, the ACS will authenticate whatever you ask it. But you need to enter all mac addresses one by one then.

The profiling engine of ISE does that in real-time depending on the devices behaviors.

View solution in original post

Nicolas Darchis · ‎09-16-2011

Your question is most confusing to me.

What do you mean with "NAC device", there are several types of them.

What do you mean with "device detection ?"

Yes ACS can authenticate users and you can have some wired users authenticating with their mac address and others through 802.1x, that's pretty straightfoward actually. For mac address devices, the username=password=mac address, that's it.

Now, maybe you meant the NAC profiler (which is end of life to the benefit of the ISE Profiling engine by the way). What NAC profiler does is scan the network and identify devices through their behavior. It then builds up a list of devices and their mac address. ACS can use that information as a database for authentication. ACS is still the authenticating device and Profiler just the "device database". Same thing for the ISE (but ISE combines the ACS + the Profiling engine)

paulhughes5 · ‎09-16-2011

In terms of device detection I mean being able to identify the device as it connects and check it is authorised to be on the LAN, ideally from some unique ID that isnt just a MAC address (due to spoofing).

On top of that user auth would determine VLAN etc... which I know we can do with the ACS, I just dont know if it can do the device part on its own or if it needs the ISE (or similar).

Thanks

Nicolas Darchis · ‎09-16-2011

So my answer is correct ...

ACS is an authentication server. It can authenticate devices.

NAC Profiler, that is now replaced with ISE Profiling Engine, analyzes real-time the behavior of devices to identify them. ACS will use that as a device database.

If using ISE, you only need ISE, it profiles and authenticates as well (it combines ACS+Profiler+other services).

What you seem to be uncomfortable with is the way the Profiling works, I would suggest you to read Profiler or ISE documentation to know more about it.

It identifies a device through his behavior. Then it authorizes the mac address. You are forced to trust on a mac address basis because the system is made for non-802.1x devices so you can't "talk" to the device or assign it any ID or whatever.

However, it's not a static list of mac address. The mac address is allowed only if it's online and it corresponds to an allowed type of device.

It can for example differentiate a phone, from an XBOX, from a laptop by looking at the fields of the DHCP request of the device, etc ... it can also do polling on the switch to check for CDP information etc ...

paulhughes5 · ‎09-16-2011

Ok thanks.

Just to clarify things before I go looking for an ISE trial, without it the ACS will only do user auth (username+password) not any kind of device based auth (MAC/behavior)?

Nicolas Darchis · ‎09-19-2011

As mentioned, the ACS will authenticate whatever you ask it. But you need to enter all mac addresses one by one then.

The profiling engine of ISE does that in real-time depending on the devices behaviors.