Solved: ISE Feature needed to support quarantine actions like TC-NAC and/or RTC

Allen P Chen · ‎06-06-2017

Hi Folks,

To achieve quarantine capabilities in ISE integrations with AMP for Endpoints and vulnerability scanners through Threat-Centric NAC and Firepower Management Center through Rapid Threat Containment, which feature in the ISE compatibility matrix is required? I believe as long as ISE can issue a RADIUS Change of Authorization to the Network Access Device, TC-NAC and RTC will be supported. Is my understanding correct? In the ISE Compatibility Matrix, the features of ISE are broken down to the following:

Feature	Functionality
AAA	802.1X, MAB, VLAN Assignment, dACL
Profiling	RADIUS CoA and Profiling Probes
BYOD	RADIUS CoA, URL Redirection + SessionID
Guest	RADIUS CoA, URL Redirection + SessionID, Local Web Auth
Guest Originating URL	RADIUS CoA, URL Redirection + SessionID, Local Web Auth
Posture	RADIUS CoA, URL Redirection + SessionID
MDM	RADIUS CoA, URL Redirection + SessionID
TrustSec	SGT Classification

Cisco Identity Services Engine Network Component Compatibility, Release 2.2 - Cisco

The AAA feature should naturally support Change of Authorization, so would this be the feature in the matrix above to look for in terms of third party vendor support for TC-NAC and RTC?

Thanks in advance for the clarification.

Timothy Abbott · ‎06-07-2017

The AAA feature is simply the ability of a network device to support the authentication of an endpoint, assign some form of authorization (VLAN, dACL, etc) and then send accounting informtion. RADIUS CoA is not required for AAA. RADIUS CoA is required when you need to change the network privileges of an authenticated endpoint after authorization has already been assigned. In the case of TC-NAC / RTC, you need CoA support in the network device. Hope that helps.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎06-07-2017

The AAA feature is simply the ability of a network device to support the authentication of an endpoint, assign some form of authorization (VLAN, dACL, etc) and then send accounting informtion. RADIUS CoA is not required for AAA. RADIUS CoA is required when you need to change the network privileges of an authenticated endpoint after authorization has already been assigned. In the case of TC-NAC / RTC, you need CoA support in the network device. Hope that helps.

Regards,

-Tim

Allen P Chen · ‎06-07-2017

Hi Tim,

Thanks for the feedback. As Cisco continues to push features like TC-NAC/RTC, customers would like to know if these features are supported on third party devices. Would it make sense to have TC-NAC/RTC listed as a feature by itself in the matrix?

Based on the existing third party compatibility matrix for 2.2, would it be safe to say that Aruba supports TC-NAC/RTC since it supports Profiling, BYOD, Posture, Guest, etc, and all of those features require CoA as mentioned in the matrix?

Profiling	RADIUS CoA and Profiling Probes
BYOD	RADIUS CoA, URL Redirection + SessionID
Guest	RADIUS CoA, URL Redirection + SessionID, Local Web Auth
Guest Originating URL	RADIUS CoA, URL Redirection + SessionID, Local Web Auth
Posture	RADIUS CoA, URL Redirection + SessionID

However, something like Juniper, where only AAA is supported, TC-NAC/RTC would not be supported with ISE?

Thanks again for your feedback, much appreciated.

Timothy Abbott · ‎06-07-2017

Since Aruba controllers support RADIUS CoA then I think it is safe to say they can participate in the TC-NAC / RTC solution. Juniper on the other hand doesn't support CoA IIRC. So no, I don't think they would be supported.

Regards,

-Tim