cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

434
Views
0
Helpful
9
Replies
Highlighted
Cisco Employee

Cisco ISE 2.4 User Cases

Hi team,

 

I am working on the ISE implementation for one of the biggest banks in my country. They are asking us 02 scenarios below:

 

1/ The domain user is under the ISE polices. Due to some reasons (such as: install/remove applications...), the administrator will login this computer by using the local admin account to do these jobs. The questions is: how can ISE detect these activities and apply the policies to the local admin account?

 

2/ If the user is using 02 network cards (Wire/Wireless) at the same time, can ISE detect that activity and force them to use 01 card at one time?

 

Highly appreciate for any quick response. thanks in advance.

 

Br,

hainm

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

If Anyconnect is suitable for the 2nd requirement, you can also provision the agent using Client Provisioning if you don't have a configuration management solution in place.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010110.html

 

 

View solution in original post

9 REPLIES 9
Highlighted
Rising star

Hi,

 

1) Authentication into a Windows machine locally doesn't involve ISE, it doesn't even involve the network. ISE is there to enforce access to the network (whether via 802.1x, posturing etc.). If you want to manage a local account you can do so via GPO, if you would like to monitor their activities that can be done via Windows eventlog or software installed on the machine. What kind of policies are you interested in ISE applying to a local account?

 

2) That really depends on the policy you're trying to enforce.

 

If you have some sort of dynamic logic as to which NIC you want to allow at any one time, then I imagine that you could use ERS to look over all active authentications, find the same machine credentials being used by multiple MAC addresses, and then resolve this via script.

 

If you only want to allow authentications via a certain kind of NIC from a group of endpoints (whether wired or wireless) then you can definitely enforce that via policy. 

Highlighted
VIP Advisor

Hi,

 

For scenario #1 when the user login as local admin, dot1x will try to authentication using the local admin user name. If you use standard username, you match the attribute radius:User-Name and apply the suitable authorization profile, dacls, etc

 

For scenario #2, I don't posturing module can disable a NIC. However in windows the NICs are ordered when they are all active, i.e they won't be used at the same time. So you can enforce the suitable order from AD policy 

Highlighted

Hi bro,

 

I am still confuse on your answer. Correct me if i am wrong that the ISE can detect the local admin accounts and we can apply these policies on those accounts?

 

Br,

hainm

Highlighted

Hi bro,

 

Many thanks for your response. Correct me if I am wrong that ISE can detect those local accounts and we can allow them to access to the network based on some conditions?

 

Thanks in advance.

 

 

Highlighted
VIP Engager

Since others have answered question 1 here is an option you have for question 2:
You can use Cisco’s NAM anyconnect module to force the use of one card at a time. Using the NAM profile editor you can configure profiles for both wired and wireless access. Using Anyconnect NAM as your 8021x supplicant will introduce some differences in your deployment since you will no longer require using windows native supplicant or GPOs to configure the native supplicant. You’ll probably need to use SCCM to deploy anyconnect + nam or build them into your image. This will open up other things to consider which include the use of eap-fast for user+machine authentication via eap-chaining, and potential use of ise posture assessment. HTH!
Highlighted

Hi Mike,

Many thanks for your advice. Our customer is using ISE with Base/Plus/Apex and AnyConnect Apex license

Correct me if i am wrong that these current licenses do not cover the NAM feature, they have to buy the AnyConnect Plus license, right?
Highlighted

Correct, covered in table 1 of the AC license guide.
https://www.cisco.com/c/dam/en/us/products/collateral/security/anyconnect-og.pdf

Highlighted

If Anyconnect is suitable for the 2nd requirement, you can also provision the agent using Client Provisioning if you don't have a configuration management solution in place.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010110.html

 

 

View solution in original post

Highlighted

Correct. See pdf posted by Damien. Glad to help.
Content for Community-Ad