Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
158
Views
1
Helpful
1
Replies

Anyone Actually Using Cisco ISE Properly for Zero Trust?

dugaldenzil
Community Member

‎11-13-2025 05:21 AM - last edited on ‎11-13-2025 08:27 AM by Cisco Employee

I keep hearing about “Zero Trust with ISE,” but in every environment I test, it’s half-baked — VLAN hopping still possible, NAC bypasses everywhere, and ISE policies left at defaults.

Has anyone seen a real-world, properly implemented ISE deployment that actually enforces Zero Trust principles? Or is this all just marketing fluff?

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎11-13-2025 02:21 PM

I think if the technology is implemented in the best possible way, then it is a good solution. However, reality throws a large spanner in the works, and then one can end up with a half-baked solution. MAB (MAC Auth Bypass) is such a case in point.

In theory, if every endpoint had an 802.1X supplicant (even if it only supported EAP-PEAP that would be better than MAB) then we'd have a way to eliminate MAC address cloning. EAP-TLS (cert based auth) is the goal we strive for.

Regarding the enforcement, Cisco will argue that SDA is the best solution because you can combine VN (VRF) and SGT at the access layer. Makes it hard to VLAN hop around. Again, reality check .. not everyone does SDA. In a traditional network you can still strive for dynamic VLAN assignment and strict dACL - at least if someone cloned a MAC address, they could not use that to authorize their hacking device onto another VLAN. Creating a strict dACL is a mission in its own right. But it adds some edge protection.

I have not see NAC done 100% right in any environment - mainly because 802.1X is hard (or impossible) to implement on so many IOT devices - you are forced to do MAB.  By IOT I mean anything that is not a smart device like a PC.

If EAP-TLS seems impossible to implement (certificate lifecycle management) then consider using EAP-PEAP (MSCHAPv2) - PEAP has got a dirty name in conjunction with Windows PC supplicants - I don't mean using it on Windows - rather, on devices where getting certs onto them is a pain - use a local ISE credential with a strong password. One would hope that IOT devices all support TLS 1.2 by now - then disable TLS 1.0 and TLS 1.1 in ISE.  

Some vendors make EAP-TLS super easy - Axis security cameras come with EAP-TLS enabled by default (with 802.1AR certs). That is a pleasure to use.  We need more vendors like this, pushing plug and play solutions.

There is no excuse for using default policies - perhaps Cisco should stop shipping ISE with any defaults to force some discipline - I think any technology needs to be handled correctly if you want good results - you can't blame Cisco's IOS OSPF for a bad routing design if you left everything at default - if you want improvement, then you need to know what you're doing. 

In my experience, very few people understand or enjoy NAC as much as they enjoy other technologies - and perhaps NAC is not the only solution. However I struggle to think of a 100% viable alternative solution that can identify endpoints and then make a decision on what to do with them - or use some kind of traffic flow analysis and AI to figure out if you have a bad actor in the network, and then react to that somehow.

Customers Also Viewed These Support Documents