01-31-2022 10:12 AM
Hello Guys,
Solved! Go to Solution.
02-06-2022 02:53 PM
Hello @ciscokapajoeen
ISE is used for network access control and not for application or content control. When you require that "all traffic leaving the internal interface" be authenticated, then NAC (ISE) is too late for that. ISE should have authenticated/authorized the endpoints at the time when they connect to the network. Once connected, the endpoints might reach out to services that are beyond the Internal - e.g. DMZ or internet. This can be stuff like web access. The better approach is to use a web proxy to redirect the web traffic and then authenticate the user - but it's not ISE that's doing this. The web proxy might send the auth request to ISE though.
The proxy usually does its filtering based on the source IP address of the endpoint traffic - you would define policies in the web proxy to allow/block traffic based on those IP source IP subnets. As far as authentication goes, the proxy might authenticate against AD, or LDAP or anything. And those systems should be redundant of course. If the redundancy fails, then the proxy should have an emergency policy to do whatever you like it to do - e.g. allow all.
02-06-2022 02:53 PM
Hello @ciscokapajoeen
ISE is used for network access control and not for application or content control. When you require that "all traffic leaving the internal interface" be authenticated, then NAC (ISE) is too late for that. ISE should have authenticated/authorized the endpoints at the time when they connect to the network. Once connected, the endpoints might reach out to services that are beyond the Internal - e.g. DMZ or internet. This can be stuff like web access. The better approach is to use a web proxy to redirect the web traffic and then authenticate the user - but it's not ISE that's doing this. The web proxy might send the auth request to ISE though.
The proxy usually does its filtering based on the source IP address of the endpoint traffic - you would define policies in the web proxy to allow/block traffic based on those IP source IP subnets. As far as authentication goes, the proxy might authenticate against AD, or LDAP or anything. And those systems should be redundant of course. If the redundancy fails, then the proxy should have an emergency policy to do whatever you like it to do - e.g. allow all.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: