Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
2
Replies

Can NAC reconfigure ports based on endpoint recognition of Company A/B assets?

Go to solution
sasalinas
Level 1
Level 1

‎05-10-2019 10:33 AM

I recall NAC being binary in that endpoint passed HIP check and were allowed through or failed and placed on guest net.  I've a situation where Company A has acquired company B and will be bleeding applications over to company A's Data centers over time and providing services to company B from company A locations. 

  • Company B will retain their endpoints to access their data, applications and services.
  • Company A services will be accessed via Company A endpoints at company B locations.  
  • Company B has single network drops at user stations,

Can NAC/ISE/TACAS be configured to recognize Company A endpoints plugging into a network drop at company B, configure the switch port to a secure VLAN for company A and switch company A traffic to the Company A WAN drop being installed at company B?  And of course the opposite, recognizing company B endpoints, reconfigure the switch port for company B user VLAN and switching the traffic to company B WAN for servicing at company B data center?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-13-2019 05:18 AM

There are two parts to this. First, is how to identify and differentiate company A & B machines. Second is to assign different VLAN that maps to different network in the back end.

The second part is trivial provided that the network has been re-engineered with matching VLANs that can be assigned on all the access switches on B locations.

Some options for the first part which requires configuring B switches with 802.1X/MAB.

  • Use MAB: As you hand out A machines to B users, record all the MAC address of A machines and create a policy on ISE to assign VLAN A for A machines else assign default policy which could be default VLAN configured on the interface. Since 802.1X is not used, you only need to record MAC address in a whitelist on the ISE deployment in B datacenter
  • Use 802.1X: As you provision A machines, configure them with 802.1X machine authentication. Since they are Windows domain PC, they can authenticate via 802.1X as machine and get VLAN A. If this is a non-Windows environment you may consider deploying machine certificate to identify the machines. Depending on the setup you may need to house the ISE deployment in datacenter A for access to A's AD environment

For further information on how to achieve the above, I suggest going through following document: https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

Also, instead of utilizing wired port, another option is to create a new WLAN in B location and dedicate it for access to A's network.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
yalbikaw
Cisco Employee
Cisco Employee

‎05-10-2019 04:33 PM

well, using posture you can make sure that the devices are compliant with the policies you need its not like HIP, its more of control that the endpoints connected to the network having the security programs that complies with policy of the organisation,

 

from the description i understand that you would like to do segmentation based on the endpoints that belongs to company A,b 

 

remember we can do this easily by using dot1x, or easyconnect maybe if it will be hard to use dot1x on the new company B

now the policies would be like if the user is part from AD group X then give it authorization profile with DACL, VLAN, SGT maybe it will be great to use SGT as well in this kind of segmentation,

 

and vice versa if the user is part of AD group Y then give it ......

 

the options are wide, check if it will be suitable for you to use dot1x on the new acquired company, if not check the easyconnect if it will be suitable for you, i think its best for you to have access to the AD anyway to know the groups and separate the authz accordingly.

 

 

 

 

 

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-13-2019 05:18 AM

There are two parts to this. First, is how to identify and differentiate company A & B machines. Second is to assign different VLAN that maps to different network in the back end.

The second part is trivial provided that the network has been re-engineered with matching VLANs that can be assigned on all the access switches on B locations.

Some options for the first part which requires configuring B switches with 802.1X/MAB.

  • Use MAB: As you hand out A machines to B users, record all the MAC address of A machines and create a policy on ISE to assign VLAN A for A machines else assign default policy which could be default VLAN configured on the interface. Since 802.1X is not used, you only need to record MAC address in a whitelist on the ISE deployment in B datacenter
  • Use 802.1X: As you provision A machines, configure them with 802.1X machine authentication. Since they are Windows domain PC, they can authenticate via 802.1X as machine and get VLAN A. If this is a non-Windows environment you may consider deploying machine certificate to identify the machines. Depending on the setup you may need to house the ISE deployment in datacenter A for access to A's AD environment

For further information on how to achieve the above, I suggest going through following document: https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

Also, instead of utilizing wired port, another option is to create a new WLAN in B location and dedicate it for access to A's network.

0 Helpful
Customers Also Viewed These Support Documents