Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
2
Helpful
4
Replies

cisco NAC solution

Go to solution
vinothkumarchellappa84099
Level 1
Level 1

‎06-05-2023 11:21 AM

My management decided to go with NAC solution for WIRED/WIRELESS user . 

We have Virtual ISE in my environment, and the version is running as 2.7.0.356.

We're using it only for TACACS authentication.

If we want to use NAC in ISE, then what are the requirements?

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
dalbanil
Cisco Employee
Cisco Employee
In response to vinothkumarchellappa84099

‎06-05-2023 01:34 PM

I see, in order to achieve this, as a summary, you have to configure aaa + dot1x on your test switch/WLC, also you should have your Active Directory configured in the External Identity Sources tab, follow this guide:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html

You have to configure the groups that you want to use from active directory from the same tab. Also included in the above guide.

Plus from the ISE side you have to configure a policy set to test this, in which you have to validate if the user being authenticated is part of your active directory or not (on the auth policy), and finally on the authz policy, as part of the multiple things you can validate, you can check if the user is part of a specific group from your ad or other condition that you might want, after that you can send an authz result, which can be a simple RADIUS access-accept, or something more elaborated.

Now from the client, in order to send the credentials, you will need to configure a supplicant, this can be done with windows native supplicant or with Anyconnect NAM, to start with the domain authentication you can configure something like PEAP-MSCHAPv2 which is very straight forward, or something like EAP-TLS which will require a PKI infrastructure. 

Finally, for the licensing on ISE, if your deployment is new, you will have 90 days of evaluation mode, in which you can test all features on ISE.

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-20-2023 02:55 PM - edited ‎06-20-2023 02:55 PM

It depends on the problem you are trying to solve.

See

▷ Secure Access with ISE 2022/04/07
▷ ISE for the Zero Trust Workplace 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
dalbanil
Cisco Employee
Cisco Employee

‎06-05-2023 11:34 AM

Hey vinothkumarchellappa84099 , it really depends on what you would like to achieve and on your design, for a starting point and POC I would recommend you to set a test environment and implement on it the different options that the following document talks about: 

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Start with something easy like mab, and then implement the different eap flavors. Again this, based on your design and endpoint capabilities. ISE has multiple capabilities and different flows, but start with something easy and continue improving the flow until it meets your requirements.

Also here you have a compatibility matrix for Cisco devices - ISE, https://www.cisco.com/c/en/us/td/docs/security/ise/nad_capabilities/nad_capabilities_with_ise.html

Let me know if this clarified your queries, and also if you have a punctual point you'd like to check.

Go to solution
vinothkumarchellappa84099
Level 1
Level 1
In response to dalbanil

‎06-05-2023 12:28 PM

Okay, I tried to contact the Cisco sales team, but they haven't responded yet.
The requirements are very simple: any devices without my domain should not get authenticated.
What is the best method to do it?
Is there a license we need to purchase in ISE?

0 Helpful

Go to solution
dalbanil
Cisco Employee
Cisco Employee
In response to vinothkumarchellappa84099

‎06-05-2023 01:34 PM

I see, in order to achieve this, as a summary, you have to configure aaa + dot1x on your test switch/WLC, also you should have your Active Directory configured in the External Identity Sources tab, follow this guide:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html

You have to configure the groups that you want to use from active directory from the same tab. Also included in the above guide.

Plus from the ISE side you have to configure a policy set to test this, in which you have to validate if the user being authenticated is part of your active directory or not (on the auth policy), and finally on the authz policy, as part of the multiple things you can validate, you can check if the user is part of a specific group from your ad or other condition that you might want, after that you can send an authz result, which can be a simple RADIUS access-accept, or something more elaborated.

Now from the client, in order to send the credentials, you will need to configure a supplicant, this can be done with windows native supplicant or with Anyconnect NAM, to start with the domain authentication you can configure something like PEAP-MSCHAPv2 which is very straight forward, or something like EAP-TLS which will require a PKI infrastructure. 

Finally, for the licensing on ISE, if your deployment is new, you will have 90 days of evaluation mode, in which you can test all features on ISE.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-20-2023 02:55 PM - edited ‎06-20-2023 02:55 PM

It depends on the problem you are trying to solve.

See

▷ Secure Access with ISE 2022/04/07
▷ ISE for the Zero Trust Workplace 

 

0 Helpful
Customers Also Viewed These Support Documents