Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
10
Helpful
4
Replies

How does ISE profile and handle AAA for devices in unrouted VLANs?

Terence Lockette
Level 1
Level 1

‎07-27-2018 06:55 AM

Hello everyone,

 

I am in the process of deploying ISE 2.3 and would like to know how ISE handles the profiling, AuthC, and AuthZ of devices that are contained in unrouted VLANs?  I'm guessing that the dot1x authentication and authorization is applied like a normal AAA request, correct?  Also, seeing that these contained devices likely won't have DHCP and won't pass any LLDP/CDP info, will any of the other probes be able to be used against devices in this unrouted VLAN?

 

Terence

0 Helpful
4 Replies 4

Justin Walker
Level 4
Level 4

‎07-27-2018 11:28 AM

The network device (NAD) will process the requests on behalf of the client authenticating to the switch port.  The radius request from the switch to ISE policy node is the only thing that technically needs to be routed for basic mab and dot1x authentication and authorization. 

 

Authorization results (Access-Accept, dACL, etc) would be sent back to the switch with and applied to the client session on the given port.  Central Web Auth wouldn't work without the device being able to navigate to the ISE PSN hosted portal. 

 

Profiling might be limited depending on if the clients are using static addressing, but CDP/LLDP information would be polled by the switch directly to the device, then sent to ISE through the Radius accounting messages. Other probes don't require any direct contact with the device, like the DNS or Active Directory (based on hostname) polling.  NMAP would be hindered by non-routed as well as the scan is sourced by the PSN and sent directly to the client. 

Terence Lockette
Level 1
Level 1
In response to Justin Walker

‎07-31-2018 09:04 AM

Thanks.  I kinda figured that to be the case but wanted to verify and confirm my understanding.

0 Helpful

kthiruve
Cisco Employee
Cisco Employee

‎07-27-2018 12:59 PM

Hi Terence,

 

When you mean unrouted VLAN, Does it have SVI?. Now do these device have an IP address, if so is it static?

Need more clarity the use case, and type of devices and what you are trying to do with it etc.

Profiling requires two attributes MAC and IP it gathers typically from RADIUS or DHCP to gather further information. ISE uses the IP address information to gather more information from the network using different probes. CDP/LLDP information can be sent via RADIUS, you need device sensor to be turned on for that.

If its is a non-routable VLAN, with no SVI then it is already isolated? may be you need to look into private VLANs etc.

 

Thanks

Krishnan

 

 

 

0 Helpful

Terence Lockette
Level 1
Level 1
In response to kthiruve

‎07-31-2018 09:05 AM

Yes by unrouted meaning no SVI, no other layer 3 device or firewall.  It's just a VLAN with a handful of endpoints and the only way you can reach them is by placing your device in that VLAN.

0 Helpful
Customers Also Viewed These Support Documents