cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1329
Views
4
Helpful
4
Replies

ISE for securing VDI and Laptop user environment

p.s.arun2020
Level 4
Level 4

Hi All,

We have a customer requirement where they have VDI as well as laptop users who connect to random ports. Please advise what is the best way to securely deploy ISE in such an environment. I was thinking of having MAB for VDI and dot1X for laptop users and Also was wondering if we can have easyconnect for vdi and dot1x for laptop users. please advise.

1 Accepted Solution

Accepted Solutions

ldanny
Cisco Employee
Cisco Employee

Hi Arun,

I dont think there is really a straight answer here as different types of methods can be used , however keep in mind easyconnect relies on kerebos authentications.

An example for MAB would be to Whitelist or Blacklist based on Profiles.

Dot1x needs a bit more "fine tuning" if Certs are being used and Network Device configurations , but is considered one of the most secured methods.

If your laptops are windows based then easyconnect could be a more simpler solution .

Thanks,

Danny

View solution in original post

4 Replies 4

ldanny
Cisco Employee
Cisco Employee

Hi Arun,

I dont think there is really a straight answer here as different types of methods can be used , however keep in mind easyconnect relies on kerebos authentications.

An example for MAB would be to Whitelist or Blacklist based on Profiles.

Dot1x needs a bit more "fine tuning" if Certs are being used and Network Device configurations , but is considered one of the most secured methods.

If your laptops are windows based then easyconnect could be a more simpler solution .

Thanks,

Danny

Thanks Danny for your response! will try your suggestions. Was wondering if you have any use case for VDI thin client users.

Jason Kunst
Cisco Employee
Cisco Employee

This should work fine

I’m not quite sure how your VDI use case will work, if the vdi client machine doesn’t support Dot1x but it does login to the domain so that IP address of local client is mapped to a domain user then that might work as well

Please lab it up

Sure Jason! Will lab it up.