05-12-2013 11:26 PM - edited 03-10-2019 08:25 PM
Hello,
I'd like to implement Cisco ISE on my network so that 802.1x authentication will be operationnal.
When I give a look to this document : http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html#wp55038
There's a lot of Catalyst 2950 on my network and I see that some features aren't supported on these devices : MAB, dACL, SGA.
What are the consequences of these non-supported technologies ? I've found out for instance that MAB was used to authenticate devices which doesnt allow or support 802.1x, so will the printers of my network still work ?
And what about dACL and SGA ? Are these features really useful or isn't it that bad if I can't use them ?
Thanks.
Solved! Go to Solution.
05-13-2013 02:46 AM
Hello Yoshipower,
Catalyst 2950 does not support MAB, SGA, CWA, LWA, dACL, except that it supports 802.1x only. So this means that you can only use dot1x authentication but profiling, client provisioning, posture assessment, change of authorization features are not available to you on Catalyst 2950. You have already gone through the ISE Network Component Compatibility document.
So if you feel only user authentication fulfills your requirement you can set up dot1x authentication but it should not be enabled on the ports where devices like printers, IP phones, camera UPS etc are connected. Briefly we can say that only user authentication is available
Regards,
Ashok
05-13-2013 03:17 AM
I agree with ashok...devices such as printers and cameras don't support dot1x and they completely rely on MAB.
If you turn on dot1x and mab on the switches and set the order/priority. It will work for both the devices, one that support dot1x and other that support MAB so it will work on a failover method.
I'd say 3750 and 3560 POE are the best switches to implement flex auth that includes dot1x, MAB and web-auth.
SGA is an advanced feature and not every deployment includes this feature.
SGA Features and Terminology
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_sga_pol.html#wp1058113
Jatin Katyal
- Do rate helpful posts -
05-13-2013 04:23 AM
If you want to manage your limited investment you can follow a phased implementation approach. Though it would be little laborious. You can swap 2950 switches with 2960 or 3750 wherever you have devices like printers. So you can connect your printers on either 2960 or 3750 switches only and PCs on 2950 switches. Then setup flexauth (MAB > dot1x) order and priority as required, on those switches where printers etc are connected. Jatin Katyal has righly suggested, I agree with him
With this approach, you can setup and enable all other features i.e. profiling, client provisioning, CoA for certain identity groups which are connected on supported switches (2960, 3750)
Note: Please make sure to review the IOS on your 2960 switches and compare the same in “ISE Network Component Compatibility Document”
05-13-2013 02:46 AM
Hello Yoshipower,
Catalyst 2950 does not support MAB, SGA, CWA, LWA, dACL, except that it supports 802.1x only. So this means that you can only use dot1x authentication but profiling, client provisioning, posture assessment, change of authorization features are not available to you on Catalyst 2950. You have already gone through the ISE Network Component Compatibility document.
So if you feel only user authentication fulfills your requirement you can set up dot1x authentication but it should not be enabled on the ports where devices like printers, IP phones, camera UPS etc are connected. Briefly we can say that only user authentication is available
Regards,
Ashok
05-13-2013 03:08 AM
Hello Ashok,
Thank you for your proper answer, you're really fast in this forum. My network is composed of nearly 60% of 2950 switches but there's a lot of other devices such as 2960 and 3750 switches. However, I don't have a lot of devices which don't support 802.1x auth (only a dozen of printers) so I guess I could turn off dot1x on them as you advised me.
Are the unavailable features on 2950 useful ? I mean by that that if they are really essential, I would have to invest in new switches and it's a considerable question in terms of money... I haven't deployed ISE yet so I'd like to be sure of my theorical study before going on.
Thanks a lot !
05-13-2013 03:17 AM
I agree with ashok...devices such as printers and cameras don't support dot1x and they completely rely on MAB.
If you turn on dot1x and mab on the switches and set the order/priority. It will work for both the devices, one that support dot1x and other that support MAB so it will work on a failover method.
I'd say 3750 and 3560 POE are the best switches to implement flex auth that includes dot1x, MAB and web-auth.
SGA is an advanced feature and not every deployment includes this feature.
SGA Features and Terminology
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_sga_pol.html#wp1058113
Jatin Katyal
- Do rate helpful posts -
05-13-2013 04:23 AM
If you want to manage your limited investment you can follow a phased implementation approach. Though it would be little laborious. You can swap 2950 switches with 2960 or 3750 wherever you have devices like printers. So you can connect your printers on either 2960 or 3750 switches only and PCs on 2950 switches. Then setup flexauth (MAB > dot1x) order and priority as required, on those switches where printers etc are connected. Jatin Katyal has righly suggested, I agree with him
With this approach, you can setup and enable all other features i.e. profiling, client provisioning, CoA for certain identity groups which are connected on supported switches (2960, 3750)
Note: Please make sure to review the IOS on your 2960 switches and compare the same in “ISE Network Component Compatibility Document”
05-15-2013 12:24 AM
Hi back,
Here's a small update about my topic. I've talked a bit with my boss and it turns that he wants ISE to be deployed to ensure full security, which means I need to use profiling and provisioning for users to authenticate with NAC agent !
Thus, I'd like to know which features are required for my solution. What do I need : CoA, Web Auth ? I'm a bit lost...
I'm guessing I'll have to change my old 2950, but what about my 2960, 3950, 4510 and 4507 switches ? Do they support what I want to do ?
Thank you for your help !
05-15-2013 02:19 AM
Yes I guess everything looks fine except 2960 doesn't support DACL.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide