Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
0
Helpful
5
Replies

ISE policy creation question - best practices

bberry
Level 1
Level 1

‎01-22-2015 08:04 AM - edited ‎03-10-2019 10:22 PM

Ok, I am a rookie ISE user here and am trying to learn as I go. I have a 802.1x policy for our corporate users on both wired and wireless and a wireless guest policy that redirects to the guest portal to enter credentials created in the sponsor portal. The corporate user has access to corporate resources and the guest basically has access to just the internet.

I need to make what I am calling a Vendor policy that is basically a hybrid of the corporate user and the guest user. These would be vendors that are on-site to assist with programming and need access longer than what the guest account can be created for. This would also have specific ACLs that grant them access to the specific resources they would nee. I would like to tie this into AD authentication since they have an AD account created to be able to access those corporate resources in most cases. My first question is do I have a single policy that is tweaked as vendors come and go or do I simply create a specific policy for each vendor? My second question is do I or should I create unique SSIDs for each vendor?

As I said I am just now getting into getting ISE configured. I am just not sure of what is considered a best practice or what is considered a secure way to may things happen. In regards to the policies I have created, they work but I think I have a couple holes to address.

Thanks ...

Brent

Labels:
0 Helpful
5 Replies 5

jj27
Spotlight
Spotlight

‎01-22-2015 10:21 AM

I wouldn't create unique SSIDs for each vendor.  The great thing about ISE is it allows you to control SSID sprawl by identifying users/devices so you can specify unique security policies to them.

If I were doing it, what I would do is create Active Directory groups for each of your vendors and place their AD accounts inside of their respective groups.

Create Authorization Profiles for each vendor and apply Airespace ACLs  for each vendor that specifies what they can and can't get to.  You would need to create the Airespace ACLs on the WLC.

Then, towards the top of your authorization policies, create one that matches your corporate SSID and the AD group for your vendor. Apply the appropriate authorization profile that matches and you should be good to go.  Remember that ISE policies, by default, are first match, so the more specific policies that match on more criteria are usually placed towards the top of the list.

Make sense?

0 Helpful

bberry
Level 1
Level 1
In response to jj27

‎01-22-2015 11:34 AM

Mostly makes sense. I have the AD part just need to get an AD group created for my test subject.

I created an Endpoint Identity Group to place the vendors devices into so that we can allow laptop to connect but not phone. Got that.

I think I can handle the Authorization Profile. It will be something like if VendorAsset and AD1:ExternalGroups Equals VendorADGroup then VendorPermissions. VendorPermissions would be the ACL that limits where they can go. I also need to create a non 802.1x based SSID as well and add this to the Authorization profile but can still be generic enough to be useable by all vendors.

I think it is my Authentication rules that I need to modify for Vendor as my Corporate based policies use Dot1x and I need a policy that does not use dot1x. Right?

0 Helpful

jj27
Spotlight
Spotlight
In response to bberry

‎01-22-2015 12:15 PM

Your thinking on the policies is absolutely correct if you wanted to limit the devices they can connect on.

If you are thinking about using a WPA/2 Pre-Shared-Key on an SSID, ISE cannot, to my knowledge, enforce access.  Your two options are 802.1X or MAB.  With MAB, you could have an OPEN SSID with no authentication and use Mac Filtering + NAC to limit who can connect to it based on MAC address.

0 Helpful

bberry
Level 1
Level 1
In response to jj27

‎01-22-2015 01:05 PM

So I think I just need to play with the MAB policy to get it to include this stuff then. I am trying to set things up so the vendor does not have to do anything such as activate dot1x supplicants and stuff to get connected. Be basically like connecting from a hotel to get connected to the network.

I think that may be part of the issue with the way the policies stand in that the existing MAB give and open out.

0 Helpful

jj27
Spotlight
Spotlight
In response to bberry

‎01-22-2015 01:11 PM

If you use MAB then you won't be able to identify usernames without sending them through CWA. 

 

Most devices have their native supplicant enabled to be able to join a wireless network with domain\username and password credentials. 

 

You should be safe with 802.1x otherwise MAB and CWA is the way to go. 

0 Helpful
Customers Also Viewed These Support Documents