02-21-2019 09:09 AM - edited 03-08-2019 07:13 PM
Looking for guidance on something I am attempting to setup in my current environment:
Overview of environment:
Currently running an SDA fabric running an ISIS underlay. Utilizing CTS with SGTs to provide a more granular rbacl setup. ISE is setup in a 4 node deployment (1 PAN, 1 backup PAN, 2 PSNs) which are integrated with AD. Current ISE version is 2.3p4. Current DNAC version is 1.2.6.
Requirement is to setup guest/sponsor portals. Currently we default users who fallback to mab authentication into a separate VN that has limited access to resources that for example would allow a user to image a box. Current plan that I am testing out is to change the default mab behavior to redirect users to the portal. The guest network will be a separate VN with different restricted access than the current default mab VN.
Questions:
Does anyone know (without using client provisioning/posture checks for guests) how to determine if a device is a legitimate GFE DoD approved box? I believe there is a way to identify this via reg key. However, this will introduce the requirement of guests needing to be scanned via the posture module. Unless there is an easier way?
How can I keep the imaging mab process separate from the eventual default mab policy that will redirect guests to the portal? I want to eliminate any manual processes such as manually adding MACs to endpoints groups from tickets submitted. Note that I have the portals setup to require sponsor approval and automatically register guest user macs to an endpoint group.
Also, is this the easiest way to allow a guest to connect and select what VN their endpoint should be a part of:
User connects, gets redirected to the portal, starts registration, selects whatever guest type which then auto-registers their mac into specific endpoint groups. Then the policies dump them into the respective VN with SGT based on the separate groupings. Is there another way of automating this process of how the endpoint identity should be placed for proper VN/SGT assignment?
Any help is appreciated. Thanks.
02-21-2019 09:49 AM
For the imaging issue I have written an executable that some of my customers have used in their imaging process that automatically takes the MAC address of the NIC, makes an API to ISE and add the MAC address to an identity group that is allowed access for imaging. Once the computer was rebooted it would get the correct access.
I can't share that program with you but I can share the idea.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide