Solved: Re: Cisco ISE suitability for a customer vs. HPE ClearPass

Nick Howells · ‎06-14-2017

Can you please assist in confirming if we can position a Cisco ISE solution to our customer.

We have been exploring HPE ClearPass with them for some time but have come up against a number of issues around what they are looking to achieve.

I am not 100% sure yet if customer would consider Cisco ISE but I need to confirm if the solution can do the below before I potentially put it in front of them.

See key points below.

Customer has around 1300-1400 users which is a mixed environment, Laptops, Desktops, Macs, using Google Apps, O365, Linux, Ubuntu (so quite a mixed bag)
They need a NAC solution that supports non 802.1x clients, this is because some of the Linux devices don’t have robust support
The solution also has to be able to authenticate with Google Apps as they are a large Google Apps house

From what I understand on the ClearPass solution they with Google authentication they would have to use MAC caching. In this setup when a client machine plugs into the network they would be shown a captive portal, they would need to login with their Google Suite credentials then would be provided network access. It would cache MAC addresses so that the next time they plugged in they would not need to login again.

However it has been highlighted that that this is not a recommended deployment when securing wired and wireless ports as it is trivial to spoof a MAC address and any PEN testing on your network would surely fail.

If we can get advice on how the Cisco solution would approach this and if it’s possible I would appreciate it.

Thanks

Nick

Nick Howells Head of Solutions Sales - Collaboration STS (Structured Technology Services) T: 0116 240 8820 | D: 0116 240 8832 | M: 07764 710396 E: nickh@sts-communications.com | W: www.sts-communications.com

vibobrov · ‎06-14-2017

We can accomplish this with CWA Chaining. howon just replied to another topic how to integrate ISE and Google IdP via SAML: Re: ISE SAML with Google IdP. Once users successfully login with their Google account, ISE can add their MAC address to an endpoint group.

View solution in original post

vibobrov · ‎06-14-2017

We can accomplish this with CWA Chaining. howon just replied to another topic how to integrate ISE and Google IdP via SAML: Re: ISE SAML with Google IdP. Once users successfully login with their Google account, ISE can add their MAC address to an endpoint group.

Nick Howells · ‎06-26-2017

Thank you very much Viktor, very much appreciated. We also had the following content from:

Cisco Partner Plus Global Virtual Engineering

I'm looking to other options but using ISE 2.2 import the MAC addresses of the Linux boxes for example and essentially use a sequence of authentication methods. MAC address, Google App sign-on (with a SSO SAML method). There is a similar workaround for allowing Chromebooks to use Google App to sign on via ISE.

I've reached out to a few ISE experts to elaborate and validate this option

We do have a solution with ISE. We can accomplish this using Central Web Authentication chaining. In essence a sequence of authentication as I mentioned before.

Once users successfully login with their Google account, ISE can add their MAC address to an endpoint group.

Nick Howells Head of Solutions Sales - Collaboration STS (Structured Technology Services) T: 0116 240 8820 | D: 0116 240 8832 | M: 07764 710396 E: nickh@sts-communications.com | W: www.sts-communications.com