06-05-2023 11:21 AM
My management decided to go with NAC solution for WIRED/WIRELESS user .
We have Virtual ISE in my environment, and the version is running as 2.7.0.356.
We're using it only for TACACS authentication.
If we want to use NAC in ISE, then what are the requirements?
Solved! Go to Solution.
06-05-2023 01:34 PM
I see, in order to achieve this, as a summary, you have to configure aaa + dot1x on your test switch/WLC, also you should have your Active Directory configured in the External Identity Sources tab, follow this guide:
You have to configure the groups that you want to use from active directory from the same tab. Also included in the above guide.
Plus from the ISE side you have to configure a policy set to test this, in which you have to validate if the user being authenticated is part of your active directory or not (on the auth policy), and finally on the authz policy, as part of the multiple things you can validate, you can check if the user is part of a specific group from your ad or other condition that you might want, after that you can send an authz result, which can be a simple RADIUS access-accept, or something more elaborated.
Now from the client, in order to send the credentials, you will need to configure a supplicant, this can be done with windows native supplicant or with Anyconnect NAM, to start with the domain authentication you can configure something like PEAP-MSCHAPv2 which is very straight forward, or something like EAP-TLS which will require a PKI infrastructure.
Finally, for the licensing on ISE, if your deployment is new, you will have 90 days of evaluation mode, in which you can test all features on ISE.
06-20-2023 02:55 PM - edited 06-20-2023 02:55 PM
It depends on the problem you are trying to solve.
See
▷ Secure Access with ISE 2022/04/07
▷ ISE for the Zero Trust Workplace
06-05-2023 11:34 AM
Hey vinothkumarchellappa84099 , it really depends on what you would like to achieve and on your design, for a starting point and POC I would recommend you to set a test environment and implement on it the different options that the following document talks about:
Start with something easy like mab, and then implement the different eap flavors. Again this, based on your design and endpoint capabilities. ISE has multiple capabilities and different flows, but start with something easy and continue improving the flow until it meets your requirements.
Also here you have a compatibility matrix for Cisco devices - ISE, https://www.cisco.com/c/en/us/td/docs/security/ise/nad_capabilities/nad_capabilities_with_ise.html
Let me know if this clarified your queries, and also if you have a punctual point you'd like to check.
06-05-2023 12:28 PM
Okay, I tried to contact the Cisco sales team, but they haven't responded yet.
The requirements are very simple: any devices without my domain should not get authenticated.
What is the best method to do it?
Is there a license we need to purchase in ISE?
06-05-2023 01:34 PM
I see, in order to achieve this, as a summary, you have to configure aaa + dot1x on your test switch/WLC, also you should have your Active Directory configured in the External Identity Sources tab, follow this guide:
You have to configure the groups that you want to use from active directory from the same tab. Also included in the above guide.
Plus from the ISE side you have to configure a policy set to test this, in which you have to validate if the user being authenticated is part of your active directory or not (on the auth policy), and finally on the authz policy, as part of the multiple things you can validate, you can check if the user is part of a specific group from your ad or other condition that you might want, after that you can send an authz result, which can be a simple RADIUS access-accept, or something more elaborated.
Now from the client, in order to send the credentials, you will need to configure a supplicant, this can be done with windows native supplicant or with Anyconnect NAM, to start with the domain authentication you can configure something like PEAP-MSCHAPv2 which is very straight forward, or something like EAP-TLS which will require a PKI infrastructure.
Finally, for the licensing on ISE, if your deployment is new, you will have 90 days of evaluation mode, in which you can test all features on ISE.
06-20-2023 02:55 PM - edited 06-20-2023 02:55 PM
It depends on the problem you are trying to solve.
See
▷ Secure Access with ISE 2022/04/07
▷ ISE for the Zero Trust Workplace
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: