Re: Cisco ISE without LDAP/AD environment

wsoonhin · ‎02-09-2022

Hi,

I have an environment where roughly 800 client PC without LDAP/AD are integrated. The user just login into the PC using the local Windows credential. With this kind of environment, what can I achieve/benefit from if I were to integrate Cisco ISE into the network? Currently, we already have Cisco DNAC running in the network, we plan to procure Cisco ISE and integrate it with our DNAC.

balaji.bandi · ‎02-10-2022

what can I achieve/benefit from if I were to integrate Cisco ISE into the network?

ISE is Central identity system, which identify the Device, waht department it belong to what to access kind of stuff, based on profile login.

You looking to provide more security, then use Local PKI Infrastructure, device authenticated using certificate also addon for security.

If SD-Acces in place - ISE give more value :

 we plan to procure Cisco ISE and integrate it with our DNAC.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

wsoonhin · ‎02-10-2022

Hi BB,

Is that mean no matter how I need to implement some sort of enterprise authentication method instead of normal local Window login at the client PC in order to get the full benefit of Cisco ISE?

regards

balaji.bandi · ‎02-11-2022

If you using Local authentication, where do you get control over end device, if the device try to authenticate to central system that is where identity identified and based on that access policies can be applied.

If you looking for local user authenticaiton, then only Option you have is MAB authenticaiton with ISE, that is not as secure as expected using suplication client.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aref Alsouqi · ‎02-11-2022

You can do a whole bunch of things with ISE. Mainly ISE can be used to manage the users and devices accesses to the network. It also can serve the guest and BYOD flows by providing portals to authenticate the users or event to register the new users. Another thing can be done with ISE is to discover and map the IP to the users passively. ISE can also do profiling to the endpoints connected to your network, this feature is hugely used and it is really useful to help you categorize the machines connected on your network, and potentially allowing full, limited, or deny accesses based on the profiled data, there is much more to it. To focus on your question, if you can integrate the end users laptops to your AD then you can join ISE to your AD and set up the authentication and authorization policies to allow or deny based on the users identities. For example, if user1 is part of the AD group1 then allow full access, and if user2 is part of the AD group2 then allow limited access, and so on. If the end users laptops will still be not domain joined, then you can do MAB which is not a best practice as it could be easily spoofed, or you can still leverage ISE by using profiling for example, admin accesses to your network devices, guest flow, and also here there is much more that you can do with all these things. Obv if you decide to integrate ISE to your environment then you would need to configure ISE itself and then the switches with the right aaa commands set, that would be for wired. If you use wireless too then you need to configure the wireless controller as well.