cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1178
Views
0
Helpful
15
Replies

Dot1x without external identity store

DamianRCL
Level 1
Level 1

Hello,

Is it possible to implement Dot1x without AD or LDAP integration? If so, what are some ways it can be done?

Thank you.

15 Replies 15

@DamianRCL you can perform 802.1X using EAP-TLS certificates without an External Identity Source.

Though, typically if using certificates issued from an Internal CA you would authenticate the certificates and then optionally perform a lookup against AD for associated attributes, if required.

You could use a local account on ISE, I would not recommend it as it's not scalable solution.

If you have radius server then sure you can use it local DB for auth the endpoint 

MHM

DamianRCL
Level 1
Level 1

All good points. Thanks.

Is it also possible to use profiling probe results for authentication and authorization?

ISE can use MAB or chap' and you can use profile.

MHM

Yes, you can. But perhaps you better describe what your goal is that you want to achieve?

@DamianRCL use MAB or DOT1X for authentication and then you can use the Profiling attributes as conditions in authorisation rules, assuming you have the licensing (requires the Advantage license) for it.

DamianRCL
Level 1
Level 1

The network I'm working on uses LDAP. I would use that as an external ID store, but there would be too many hurdles  (people hurdles not technical). Currently port security is performed manually, which is an administrative chore. My goal is to implement 802.1x in a secure way without integrating with LDAP. Let me know if you need more details. Thanks.

@DamianRCL IMO, it doesn't seem practical to not integrate with LDAP if you have it. You will also need to consider the configuration of the endpoint supplicants configuration and how they will be configured, in an AD environment this can be deployed centrally.

If you still decide not to use an External Identity Source then EAP-TLS is the most secure method, you could use the ISE CA and onboard the devices, where the users will enrol and receive a certificate. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

 

DamianRCL
Level 1
Level 1

Duly noted, Rob. My intent was to roll this out while limiting the involvement of other silos, but it appears that won't be possible. I'll shoot for LDAP integration when the time comes.

Thanks!

thomas
Cisco Employee
Cisco Employee

Yes, I demonstrated this in

 User & Endpoint Custom Attributes 2022-09-06

05:01 Defining User Custom Attributes for ISE Internal Users
06:10 Defining Endpoint Custom Attributes and their Common Uses
07:36 Demo: Creating User Custom Attributes
10:41 Demo: ISE 802.1X Policy Review, and Authentication

Thanks, Thomas. I'll be sure to take a look!

Pulkit Mittal
Spotlight
Spotlight

Implementing 802.1X (Dot1x) without integrating with Active Directory (AD) or LDAP is possible in Cisco Identity Services Engine (ISE). Here are some ways to achieve this:

  1. Local Identity Store:

    • Local identity store within ISE allows you to create and manage user accounts directly within ISE.
    • You can define users and their credentials (username/password) directly in ISE.
    • While this approach is feasible, it’s not recommended for large-scale deployments due to scalability and management challenges.
  2. Certificate-Based Authentication:

    • Instead of relying on AD or LDAP for user authentication, consider using certificate-based authentication.
    • Configure ISE to accept client certificates (such as EAP-TLS) for authentication.
    • Clients present their certificates during the 802.1X process, and ISE validates them against its local certificate store or a trusted Certificate Authority (CA).
  3. Guest Services:

    • If you’re implementing Dot1x for guest access, ISE can handle guest authentication without AD or LDAP integration.
    • Set up a guest portal in ISE, create guest accounts, and allow access based on credentials provided during the guest registration process.
  4. Machine Authentication (MAB):

    • While not true Dot1x, Machine Authentication Bypass (MAB) allows devices to authenticate based on their MAC addresses.
    • Configure MAB policies in ISE to allow certain devices (e.g., printers, IP phones) without relying on AD or LDAP.
  5. Custom Identity Sources:

    • ISE allows you to define custom identity sources beyond AD and LDAP.
    • You can create custom identity sources using RADIUS, RSA SecurID, or other methods.
    • While not common, it provides flexibility for specific use cases.
  6. Local Web Authentication:

    • For scenarios where you need to authenticate users via a captive portal (web page), ISE can perform local web authentication.
    • Users provide credentials directly to ISE via the web portal.

Remember that while these methods allow Dot1x without AD or LDAP, they have limitations. Consider your specific requirements, scalability, and security needs when choosing the appropriate approach for your deployment.

If you find this useful, please mark it helpful and accept the solution.

Thanks for this, Pulkit. This places things into perspective very nicely.

But always keep in mind that ChaptGPT often gives inaccurate answers.