Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
276
Views
3
Helpful
2
Replies

Anyone Actually Using Cisco ISE Properly for Zero Trust?

dugaldenzil
Level 1
Level 1

‎11-13-2025 05:21 AM - last edited on ‎11-13-2025 08:27 AM by Cisco Employee

I keep hearing about “Zero Trust with ISE,” but in every environment I test, it’s half-baked — VLAN hopping still possible, NAC bypasses everywhere, and ISE policies left at defaults.

Has anyone seen a real-world, properly implemented ISE deployment that actually enforces Zero Trust principles? Or is this all just marketing fluff?

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎11-13-2025 02:21 PM

I think if the technology is implemented in the best possible way, then it is a good solution. However, reality throws a large spanner in the works, and then one can end up with a half-baked solution. MAB (MAC Auth Bypass) is such a case in point.

In theory, if every endpoint had an 802.1X supplicant (even if it only supported EAP-PEAP that would be better than MAB) then we'd have a way to eliminate MAC address cloning. EAP-TLS (cert based auth) is the goal we strive for.

Regarding the enforcement, Cisco will argue that SDA is the best solution because you can combine VN (VRF) and SGT at the access layer. Makes it hard to VLAN hop around. Again, reality check .. not everyone does SDA. In a traditional network you can still strive for dynamic VLAN assignment and strict dACL - at least if someone cloned a MAC address, they could not use that to authorize their hacking device onto another VLAN. Creating a strict dACL is a mission in its own right. But it adds some edge protection.

I have not see NAC done 100% right in any environment - mainly because 802.1X is hard (or impossible) to implement on so many IOT devices - you are forced to do MAB.  By IOT I mean anything that is not a smart device like a PC.

If EAP-TLS seems impossible to implement (certificate lifecycle management) then consider using EAP-PEAP (MSCHAPv2) - PEAP has got a dirty name in conjunction with Windows PC supplicants - I don't mean using it on Windows - rather, on devices where getting certs onto them is a pain - use a local ISE credential with a strong password. One would hope that IOT devices all support TLS 1.2 by now - then disable TLS 1.0 and TLS 1.1 in ISE.  

Some vendors make EAP-TLS super easy - Axis security cameras come with EAP-TLS enabled by default (with 802.1AR certs). That is a pleasure to use.  We need more vendors like this, pushing plug and play solutions.

There is no excuse for using default policies - perhaps Cisco should stop shipping ISE with any defaults to force some discipline - I think any technology needs to be handled correctly if you want good results - you can't blame Cisco's IOS OSPF for a bad routing design if you left everything at default - if you want improvement, then you need to know what you're doing. 

In my experience, very few people understand or enjoy NAC as much as they enjoy other technologies - and perhaps NAC is not the only solution. However I struggle to think of a 100% viable alternative solution that can identify endpoints and then make a decision on what to do with them - or use some kind of traffic flow analysis and AI to figure out if you have a bad actor in the network, and then react to that somehow.

thomas
Cisco Employee
Cisco Employee

‎11-14-2025 02:42 PM - edited ‎11-14-2025 02:43 PM

Zero Trust is a concept - not a feature you enable.

Similarly, NAC is a solution - not a single product. It's made of endpoints, network devices, AAA/RADIUS server, and various identity databases - each with their own capabilities and limitations - that must be assembled to handle a huge number of situations and custom organizational processes.

This is rarely a Layer 2-7 technology problem but a Layer 8 Financial and Layer 9 Political problem in every organization where people have to collaborate to make these different components work together. Many/most endpoints today have 802.1X supplicants but it's not enabled and configured because it is not a priority for the teams that own/manage them because it's not in their SLA/metrics. Meanwhile, the network and/or security team is left to compromise and handle it the best they can: MAB. Many customers prefer not to upgrade to the latest hardware & software because they don't want to spend money and ... if it's not broken, don't fix it. These are not technology problems.

I specifically talked about this in 

▷ ISE Deployment Planning and Strategies  

04:58 Everyone has Different Needs
06:08 Objectives, Risk, Priorities, Environment, Scale, Operations
10:57 Organizational Challenges

Customers Also Viewed These Support Documents