Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
805
Views
0
Helpful
4
Replies

FirePower Services NAC capabilities?

Go to solution
willfrui88
Level 1
Level 1

‎08-08-2016 10:38 AM - edited ‎03-10-2019 11:58 PM

We are looking at implementing FirePower Services on our current ASA's.  Does FirePower services have any Network Access Control capabilities?  Specifically, we want to block or at least notify our resources of any non-domain joined machine that plugs into our network.  

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-08-2016 04:51 PM

Not directly. That would be more of an ISE function.

Your discovery policy can ascertain the usernames (via integration with AD) associated with all hosts (where such association exists). You could possibly craft a policy to block connections through the firewall from hosts without an associated username but it would be a hack vs. using the product in the way its designed.

It also would not do anything to keep them off the network - only prevent their traffic from going through the firewall.

With ISE you can do exactly what you're asking - it's a common use case and what the product is designed for.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-08-2016 04:51 PM

Not directly. That would be more of an ISE function.

Your discovery policy can ascertain the usernames (via integration with AD) associated with all hosts (where such association exists). You could possibly craft a policy to block connections through the firewall from hosts without an associated username but it would be a hack vs. using the product in the way its designed.

It also would not do anything to keep them off the network - only prevent their traffic from going through the firewall.

With ISE you can do exactly what you're asking - it's a common use case and what the product is designed for.

0 Helpful

Go to solution
willfrui88
Level 1
Level 1
In response to Marvin Rhoads

‎08-09-2016 08:09 AM

Thank you Marvin!

0 Helpful

Go to solution
willfrui88
Level 1
Level 1

‎08-09-2016 08:21 AM

I am not terribly familiar with ISE.  How would ISE report on or block an unapproved device if it plugged into our network?  For example, if an unapproved device plugged into a network port at a remote site...how would ISE know immediately?  Is there something on the remote site switch that would inform ISE?  Thanks again.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to willfrui88

‎08-09-2016 12:54 PM

ISE is a NAC solution that uses a combination of technologies to assesses devices connecting to your networks and instruct the network access devices (switches, wireless controllers, ASAs etc.) to authorize (or change the authorization) accordingly.

It uses RADIUS, 802.1x, integration with an external identity store (like AD or LDAP) along with the capabilities built into Cisco and other vendors' NADs to take action according to the context of the situation (who, what where where how etc.).

For instance, you could integrate ISE with AD and to your switches and create policies that say, for instance, if wired user connects and both the user and computer do not have the right conditions (i.e. computer belongs to domain, has required software installed, user has valid domain credentials and is a member of certain group) then their access is denied or restricted.

ISE can push an ACL to the port, switch it to a quarantined or restricted VLAN, redirect all user traffic to a registration or remediation portal, etc.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents