Solved: Re: ISE for securing VDI and Laptop user environment

p.s.arun2020 · ‎11-26-2017

Hi All,

We have a customer requirement where they have VDI as well as laptop users who connect to random ports. Please advise what is the best way to securely deploy ISE in such an environment. I was thinking of having MAB for VDI and dot1X for laptop users and Also was wondering if we can have easyconnect for vdi and dot1x for laptop users. please advise.

ldanny · ‎11-26-2017

Hi Arun,

I dont think there is really a straight answer here as different types of methods can be used , however keep in mind easyconnect relies on kerebos authentications.

An example for MAB would be to Whitelist or Blacklist based on Profiles.

Dot1x needs a bit more "fine tuning" if Certs are being used and Network Device configurations , but is considered one of the most secured methods.

If your laptops are windows based then easyconnect could be a more simpler solution .

Thanks,

Danny

View solution in original post

ldanny · ‎11-26-2017

Hi Arun,

I dont think there is really a straight answer here as different types of methods can be used , however keep in mind easyconnect relies on kerebos authentications.

An example for MAB would be to Whitelist or Blacklist based on Profiles.

Dot1x needs a bit more "fine tuning" if Certs are being used and Network Device configurations , but is considered one of the most secured methods.

If your laptops are windows based then easyconnect could be a more simpler solution .

Thanks,

Danny

p.s.arun2020 · ‎11-27-2017

Thanks Danny for your response! will try your suggestions. Was wondering if you have any use case for VDI thin client users.

Jason Kunst · ‎11-27-2017

This should work fine

I’m not quite sure how your VDI use case will work, if the vdi client machine doesn’t support Dot1x but it does login to the domain so that IP address of local client is mapped to a domain user then that might work as well

Please lab it up

p.s.arun2020 · ‎11-28-2017

Sure Jason! Will lab it up.