01-31-2022 10:12 AM
Hello Guys,
Solved! Go to Solution.
02-06-2022 02:53 PM
Hello @ciscokapajoeen
ISE is used for network access control and not for application or content control. When you require that "all traffic leaving the internal interface" be authenticated, then NAC (ISE) is too late for that. ISE should have authenticated/authorized the endpoints at the time when they connect to the network. Once connected, the endpoints might reach out to services that are beyond the Internal - e.g. DMZ or internet. This can be stuff like web access. The better approach is to use a web proxy to redirect the web traffic and then authenticate the user - but it's not ISE that's doing this. The web proxy might send the auth request to ISE though.
The proxy usually does its filtering based on the source IP address of the endpoint traffic - you would define policies in the web proxy to allow/block traffic based on those IP source IP subnets. As far as authentication goes, the proxy might authenticate against AD, or LDAP or anything. And those systems should be redundant of course. If the redundancy fails, then the proxy should have an emergency policy to do whatever you like it to do - e.g. allow all.
02-06-2022 02:53 PM
Hello @ciscokapajoeen
ISE is used for network access control and not for application or content control. When you require that "all traffic leaving the internal interface" be authenticated, then NAC (ISE) is too late for that. ISE should have authenticated/authorized the endpoints at the time when they connect to the network. Once connected, the endpoints might reach out to services that are beyond the Internal - e.g. DMZ or internet. This can be stuff like web access. The better approach is to use a web proxy to redirect the web traffic and then authenticate the user - but it's not ISE that's doing this. The web proxy might send the auth request to ISE though.
The proxy usually does its filtering based on the source IP address of the endpoint traffic - you would define policies in the web proxy to allow/block traffic based on those IP source IP subnets. As far as authentication goes, the proxy might authenticate against AD, or LDAP or anything. And those systems should be redundant of course. If the redundancy fails, then the proxy should have an emergency policy to do whatever you like it to do - e.g. allow all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide