Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
243
Views
5
Helpful
2
Replies

ISE 1.3 and NAC

Jim Blake
Level 1
Level 1

‎01-13-2015 05:23 AM - edited ‎03-10-2019 10:20 PM

I have a customer running 5508 WLCs across the estate, and I'm retrofitting IEEE802.1x authentication for the corporate WLAN, and WebAuth for the Guest WLAN...they have PSK on both at the moment :(

They have AD and are showing great interest in ISE and NAC, so my immediate thoughts are to integrate ISE with AD, and use ISE as the RADIUS server for .1x on the WLC. Then use the WLC and ISE to do WebAuth for Guest...This is all standard stuff, but it gives the background.

Now we get to the interesting bit...they want to run BYOD. They are involved in financial markets, so the BYOD needs to be tightly controlled. They are asking about ISE coupled with NAC, but I'm not convinced I need NAC since the arrival of ISE1.3. Obviously, I will be looking at three (min) SSIDs, namely corporate, guest and BYOD, all logically separate. I don't need anything that ISE 1.2 can't support on corporate and guest, but BYOD needs full profiling and either barring or device remediation before access to the net.

Has anyone got any comments or suggestions? Is ISE 1.3 sufficiently NAC-like that I don't need it any more, or if that's not the case, what additional benefits does it bring that ISE can't support


Thanks for any advice/comments/experiences


Jim

Labels:
0 Helpful
2 Replies 2

nspasov
Cisco Employee
Cisco Employee

‎01-13-2015 10:33 AM

Hi Jim-

Version 1.3 offers a built-in PKI and vastly improved guest services experience. The internal PKI is nice if the customer doesn't have an PKI solution in place. Keep in mind though that the internal ISE PKI can only issue certificates to BYOD devices that were on-boarded via the ISE BYOD "flow" So you cannot use the ISE PKI to issue certs to domain computers.

With regards to NAC: You will have to clarify exactly what is needed here. If you needed to perform "posture assessment" then ISE can do it for Windows and OSX based machines. You can check for things like: A/V, A/S, Firewall Status, Windows Patches, etc. If you want to perform posture on mobile devices then you will need to integrate ISE with an MDM (Mobile Device Management) solution such as: Airwatch, Mobile Iron, Maas360, etc. ISE can query the MDM for things like: Is the device protected with a PIN, is the device rooted, is the device encrypted, etc.

I hope this helps!

 

Thank you for rating helpful posts!

 

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎01-16-2015 04:49 AM

ISE 1.3 has several guest enhancements (guest types,Guest Access with Hotspot Guest Portals,Guest Access with Credentialed Guest Portals  etc ) 

 

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01111.html

check the following link for ISE 1.3 BYOD

http://blogs.cisco.com/security/cisco-identity-services-engine-ise-1-3-and-cisco-anyconnect-4-0-are-now-available

Customers Also Viewed These Support Documents