Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2126
Views
20
Helpful
7
Replies

Cisco ISE along with SCCM

Go to solution
Amr Moussa
Level 1
Level 1

‎05-25-2022 09:36 AM

We have already Microsoft SCCM and we have Cisco ISE, our design now is built on MAB authentication, but we need now to move to DOT1X, the problem we see is that we use SCCM to deploy Windows images to the new machines so they will be just a bare metal without any system on them, so how can we do it without using MAB because MAB is less secure and it can be lead to MAC spoofing.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ahollifield
VIP
VIP
In response to Amr Moussa

‎05-25-2022 04:06 PM

Got it, so you are talking about provision new machines that do not have any supplicant configuration.  This is a classic chicken and egg scenario.  You have a couple of options here:

  • Configure specialized "build ports" inside of locked room for example that do not have any authentication enabled.  Build PC, remove from room, and deploy.
  • Continue to use MAB with a whitelist.  Place MAC address of PC in whitelist.  Once SCCM build complete, remove MAC address from Whitelist.  Always leave whitelist empty except during builds.
  • Deploy a default authz that only allows access to SCCM.  If 802.1x succeeds: full access.  If 802.1X fails: dACL/pre-auth/named ACL that only allows DHCP, DNS, and access to SCCM.

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Amr Moussa

‎05-25-2022 04:25 PM

See a similar discussion with some additional detail and options here:

PC Imaging on NAC secured ports 

View solution in original post

7 Replies 7

Go to solution
ahollifield
VIP
VIP

‎05-25-2022 01:10 PM

Use SCCM to push certificates to your managed Windows machines.  Use those certificates to perform EAP-TLS authentication via 802.1X to ISE.

0 Helpful

Go to solution
Amr Moussa
Level 1
Level 1
In response to ahollifield

‎05-25-2022 01:18 PM

I am not taking about managed Windows machines, I am asking about the unmanaged machines that doesn't have a Windows system yet and we are need sccm to push and deploy Windows to them.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to Amr Moussa

‎05-25-2022 04:06 PM

Got it, so you are talking about provision new machines that do not have any supplicant configuration.  This is a classic chicken and egg scenario.  You have a couple of options here:

  • Configure specialized "build ports" inside of locked room for example that do not have any authentication enabled.  Build PC, remove from room, and deploy.
  • Continue to use MAB with a whitelist.  Place MAC address of PC in whitelist.  Once SCCM build complete, remove MAC address from Whitelist.  Always leave whitelist empty except during builds.
  • Deploy a default authz that only allows access to SCCM.  If 802.1x succeeds: full access.  If 802.1X fails: dACL/pre-auth/named ACL that only allows DHCP, DNS, and access to SCCM.

Go to solution
Amr Moussa
Level 1
Level 1
In response to ahollifield

‎05-25-2022 04:16 PM

I think your first solution may be applicable but it will cause some confusion because now we will have a vulenrabilbe room that if any one know about it can access our network.

for the other solution (Deploy a default authz that only allows access to SCCM.  If 802.1x succeeds: full access.  If 802.1X fails: dACL/pre-auth/named ACL that only allows DHCP, DNS, and access to SCCM.) this is not enough because those machines are gonna join the domain so they will ne access also to the domain controllers and this will be a very dangerous something to leave.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to Amr Moussa

‎05-25-2022 04:24 PM

Well you have to make some concessions somewhere because you cannot do 802.1X without a proper supplicant configuration or credentials.  You won't get your supplicant configuration or credentials until you can talk to SCCM and AD.  

Another option would be to do something like InTune or MS Autopilot and join the new machine to a guest network for example and provision over the internet.  Once provisioning has taken place, then connect the machine to your corporate network as normal.

If an unauthorized user can access a locked/secured room then that is a physical security problem, not a NAC problem.

What is wrong with the whitelist MAB idea?  If the whitelist is normally empty any unknown MAC address would be denied.  

Go to solution
Amr Moussa
Level 1
Level 1
In response to ahollifield

‎05-25-2022 04:39 PM

the only problem with the MAB idea is the headache, we need to add and remove the MAC on any deployment.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Amr Moussa

‎05-25-2022 04:25 PM

See a similar discussion with some additional detail and options here:

PC Imaging on NAC secured ports 

Customers Also Viewed These Support Documents