Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1344
Views
0
Helpful
9
Replies

Cisco ISE 2.4 User Cases

Go to solution
hanguye3
Cisco Employee
Cisco Employee

‎02-12-2019 07:38 PM

Hi team,

 

I am working on the ISE implementation for one of the biggest banks in my country. They are asking us 02 scenarios below:

 

1/ The domain user is under the ISE polices. Due to some reasons (such as: install/remove applications...), the administrator will login this computer by using the local admin account to do these jobs. The questions is: how can ISE detect these activities and apply the policies to the local admin account?

 

2/ If the user is using 02 network cards (Wire/Wireless) at the same time, can ISE detect that activity and force them to use 01 card at one time?

 

Highly appreciate for any quick response. thanks in advance.

 

Br,

hainm

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nadav
Level 7
Level 7
In response to hanguye3

‎02-14-2019 03:35 AM

If Anyconnect is suitable for the 2nd requirement, you can also provision the agent using Client Provisioning if you don't have a configuration management solution in place.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010110.html

 

 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Nadav
Level 7
Level 7

‎02-13-2019 02:39 AM - edited ‎02-13-2019 02:40 AM

Hi,

 

1) Authentication into a Windows machine locally doesn't involve ISE, it doesn't even involve the network. ISE is there to enforce access to the network (whether via 802.1x, posturing etc.). If you want to manage a local account you can do so via GPO, if you would like to monitor their activities that can be done via Windows eventlog or software installed on the machine. What kind of policies are you interested in ISE applying to a local account?

 

2) That really depends on the policy you're trying to enforce.

 

If you have some sort of dynamic logic as to which NIC you want to allow at any one time, then I imagine that you could use ERS to look over all active authentications, find the same machine credentials being used by multiple MAC addresses, and then resolve this via script.

 

If you only want to allow authentications via a certain kind of NIC from a group of endpoints (whether wired or wireless) then you can definitely enforce that via policy. 

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-13-2019 03:15 AM

Hi,

 

For scenario #1 when the user login as local admin, dot1x will try to authentication using the local admin user name. If you use standard username, you match the attribute radius:User-Name and apply the suitable authorization profile, dacls, etc

 

For scenario #2, I don't posturing module can disable a NIC. However in windows the NICs are ordered when they are all active, i.e they won't be used at the same time. So you can enforce the suitable order from AD policy 

0 Helpful

Go to solution
hanguye3
Cisco Employee
Cisco Employee
In response to Mohammed al Baqari

‎02-19-2019 07:23 PM

Hi bro,

 

I am still confuse on your answer. Correct me if i am wrong that the ISE can detect the local admin accounts and we can apply these policies on those accounts?

 

Br,

hainm

0 Helpful

Go to solution
hanguye3
Cisco Employee
Cisco Employee
In response to Mohammed al Baqari

‎02-21-2019 06:39 PM

Hi bro,

 

Many thanks for your response. Correct me if I am wrong that ISE can detect those local accounts and we can allow them to access to the network based on some conditions?

 

Thanks in advance.

 

 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-13-2019 03:51 AM

Since others have answered question 1 here is an option you have for question 2:
You can use Cisco’s NAM anyconnect module to force the use of one card at a time. Using the NAM profile editor you can configure profiles for both wired and wireless access. Using Anyconnect NAM as your 8021x supplicant will introduce some differences in your deployment since you will no longer require using windows native supplicant or GPOs to configure the native supplicant. You’ll probably need to use SCCM to deploy anyconnect + nam or build them into your image. This will open up other things to consider which include the use of eap-fast for user+machine authentication via eap-chaining, and potential use of ise posture assessment. HTH!
0 Helpful

Go to solution
hanguye3
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎02-13-2019 08:13 PM

Hi Mike,

Many thanks for your advice. Our customer is using ISE with Base/Plus/Apex and AnyConnect Apex license

Correct me if i am wrong that these current licenses do not cover the NAM feature, they have to buy the AnyConnect Plus license, right?
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to hanguye3

‎02-13-2019 08:17 PM

Correct, covered in table 1 of the AC license guide.
https://www.cisco.com/c/dam/en/us/products/collateral/security/anyconnect-og.pdf

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to hanguye3

‎02-14-2019 03:35 AM

If Anyconnect is suitable for the 2nd requirement, you can also provision the agent using Client Provisioning if you don't have a configuration management solution in place.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010110.html

 

 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to hanguye3

‎02-14-2019 05:14 AM

Correct. See pdf posted by Damien. Glad to help.
0 Helpful
Customers Also Viewed These Support Documents