cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
776
Views
0
Helpful
4
Replies

ASA and ISE

TCAM
Level 1
Level 1

if I'm not posting this in the right area, just let me know where it should go and I'll repost it there.

I have a situation and need some advices.  I have a client deployed asa 5505 as easy vpn hard client on remote location, it is working great.  Client would like to lock down the built-in switchports to prevent issues when people plug random devices in to keep them off the network. 

One thing comes to mind - dot1x but asa and the built-in switch port does not support dot1x feature, so an external cisco switch is needed.  I would like not to add external device to asa 5505 if possible.  What are the other options?  Lock down authorized user PC's MAC address, it works but not flexible sicne user may be roaming around.  I am thinking posturing, can ISE support this and how to integrate with asa?  Does ISE require dot1x to be enabled?  Any suggestion are appreciated. Thanks

4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

The switchports on the asa do not support dot1x which you clarified. However If you sent the ports to a blackhole vlan the clients will not get any IP address and they will not be able to connect. You could also shutdown the interfaces that arent being used.

You can not leverage ISE for webauthentication or any other feature that you would see on an IOS switch, on the asa.

Thanks,

Sent from Cisco Technical Support iPad App

Thanks for the suggestions Tarik Admani

I was hoping to build some intelligent checkings (like Posturing) on asa to permit or deny what user have accessed to various resources.  It is more like NAC on ASA.  I am open to other ideas.  Thanks

I'm going to agree with Tarik on this one... shutting down or otherwise black-holing the ports are your only real choices.  Since you're using the ASA for EasyVPN I can't even suggest putting the other ports on their own VLAN and having attached users VPN in to the local ASA because the ASA won't support remote access requests while acting as an EasyVPN client.

The only alternatives I could think of are:

1. Limiting by MAC address (you've already covered that one)

2. Putting all the other ports on their own DMZ-esque VLAN and limiting usability with a layer 3 / 4 ACL (may not be feasible)

3. Configure the ASA for cut-through proxy, requring users on those ports (identified as being in a separate VLAN) to authenticate before connecting to the network (per 

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml).  This should work, but would be a pretty complex bit of work just to allow only partial use of a few switchports... sending out a switch to sit behind the ASA is probably easier.

I agree with the auth-proxy statement however if you are looking for a solution your best bet would be to consider a small ISR. I currently use the 881w, embedded AP, with 4 switch ports (2 POE) you can still use easy vpn but I use dmvpn because of the routes behind my home connection.....and demo equipment. All the switch ports are dot1x enabled, and my ap is in lightweight mode which connects back to a vWLC that i have stood up which is integrated with ISE.

If you are looking for nac framework that is a older technology since that involves acs 4.x, ISE doesnt support nac framework anymore. If you are looking for ISE and ASA integration most of the is done for the remote vpn clients so that the nac agent is either distributed or their traffic is redirected to ise for posturing/authorization/profiling..etc. The integration with ISE doesnt cover anything plugged in locally on the ASA.

Thanks,

Tarik Admani
*Please rate helpful posts*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: