This is my first time posting to the community at-large.. please be gentle.
I've been working with ISE 2.3 for about two weeks so my apologies in advance if this is a dumb question. We're performing a bake-off with multiple NAC solutions and one of the evaluation criteria is the ability to detect and enforce network access restrictions on guest virtual machines hosted on otherwise approved endpoints. For example, assume a known Windows endpoint connects to the network and is subsequently authenticated and permitted access to the network. That same endpoint them starts a Kali Linux virtual machine and starts pen-testing the internal network. I realize there's an entire ecosystem of solutions meant to detect this "east-west' activity but my question is can a standalone implementation of Cisco ISE (no Stealthwatch, no PxGrid, etc) detect the presence of a hosted virtual machine based on information reported by the access device (netflow, cdp, lldp, etc)? Our access devices for the tests are a 4500x (03.08.01 universal k9) and a 3750x (15.0.2-SE11 universal k9).
I've been reading day and night and I can't seem to find a straightforward answer on this subject. Granted, I'm just getting started with 802.1x and NAC concepts in general.
The muti-auth option seems to work well for daisy-chained scenarios (switch->ip phone->pc) and bridged VMs. I think the concern here is the use of unauthorized virtual machines NAT'd behind an authenticated endpoint; using VMware workstation or VirtualBox for example. In that situation, I'm not sure how the NAC could distinguish the physical host from the guest VM, barring some form of packet analysis.
Thanks Jason, that appears to be the general consensus in most of my other research. With out some endpoint assessment / enforcement agent, there doesn't appear to be a method for detecting NAT'd virtual systems.