Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1330
Views
0
Helpful
3
Replies

Impose ACLs on IoT devices using Cisco ISE

Go to solution
arunan
Level 1
Level 1

‎04-20-2022 07:30 PM

Hi there,

I am new to Cisco ISE. We have hundreds of IoT assets like printers, cameras and VoIP phones in our network. Also, we have permitted ACLs for each asset.

1) Can we use Cisco ISE to impose those ACL rules on assets across the network? If so, how can we do that?

2) Do we have to treat these assets as endpoints or network devices? What is the difference between them?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-21-2022 12:05 AM

If they can not have supplicant you can to mac-based authentication, based on MAC you can set up what permission or ACL you need to apply.

 

Most ISE works as below: since you have not mentioned what ISE version here, is this SD-Access deployment?

 

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎04-21-2022 03:52 AM

@arunan to address your questions.

For the IOT devices, assuming they do not support 802.1X, use MAB. Add the MAC addresses to unique Endpoint Identity Group per IOT device type, potentially combine this with ISE Profiling policies to distinguish between device types.

 

To apply policies accross the network you can use TrustSec SGTs, these can be applied during authorisation in ISE. The switches can use inline tagging to send transmit those SGTs throughout the network to enforcement point, where traffic can be permitted/denied accordingly.

 

If you cannot or do not want to implement TrustSec, then you could just use a Downloadable ACL (DACL) to permit/deny traffic on the network.

 

These IOT devices would be classed as "Endpoints", a network device would be the switches the endpoints connect to.

 

HTH

View solution in original post

0 Helpful
3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-21-2022 12:05 AM

If they can not have supplicant you can to mac-based authentication, based on MAC you can set up what permission or ACL you need to apply.

 

Most ISE works as below: since you have not mentioned what ISE version here, is this SD-Access deployment?

 

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎04-21-2022 03:52 AM

@arunan to address your questions.

For the IOT devices, assuming they do not support 802.1X, use MAB. Add the MAC addresses to unique Endpoint Identity Group per IOT device type, potentially combine this with ISE Profiling policies to distinguish between device types.

 

To apply policies accross the network you can use TrustSec SGTs, these can be applied during authorisation in ISE. The switches can use inline tagging to send transmit those SGTs throughout the network to enforcement point, where traffic can be permitted/denied accordingly.

 

If you cannot or do not want to implement TrustSec, then you could just use a Downloadable ACL (DACL) to permit/deny traffic on the network.

 

These IOT devices would be classed as "Endpoints", a network device would be the switches the endpoints connect to.

 

HTH

0 Helpful

Go to solution
arunan
Level 1
Level 1
In response to Rob Ingram

‎05-10-2022 12:10 AM

Thanks @Rob Ingram & @balaji.bandi . Yes, As you mentioned most of our IoT devices do not support 802.1X. So MAB is a viable option. But I couldn't able to find a guide to configure MAB on Cisco ISE 3.0. Can you advise on this, please?

 

The part I don't understand is how to map TrustSec SGTs / Downloadable ACL (DACL) to endpoint groups. Can I tag an endpoint using MAB and then assign Trust SGT  DACL to that specific tag?

0 Helpful
Customers Also Viewed These Support Documents