cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4052
Views
10
Helpful
6
Replies

ISE VDI Integration Guide

omadrile
Cisco Employee
Cisco Employee

Hi team,

 

I know it's a recurrent topic but the only documentation we seem to have is this guide from back 2013 "Cisco TrustSec How-To Guide: Segmenting Clients and Servers in the Data Center Using the Cisco Nexus 1000V Series Switches": https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/segmenting_clients_servers_guide.pdf

Therefore, do we have any plans to validate and document the integration of ISE with other VDI solutions i.e. Citrix, VMware, Microsoft etc.. Can you please share any estimated timeline if there's one?

 

Thanks,

Oriol

1 Accepted Solution

Accepted Solutions

Note that there is also the TS-Agent that will send Passive ID info from term server to ISE which will get published to subscribes such as FTD today which includes the IP and port range assigned to connecting client, but Passive ID does not currently instantiate a session with SGT mapping.  EasyConnect provides this (RADIUS authorization with optional SGT) for wired clients today when Passive ID method is WMI.

View solution in original post

6 Replies 6

jeaves@cisco.com
Cisco Employee
Cisco Employee

Hi,

we are currently working on developing an agent to sit on windows/Citrix servers to provide the IP differentiation required for TrustSec/group based policies.

A release by the end of the year is the target.

Regards, Jonothan.

Note that there is also the TS-Agent that will send Passive ID info from term server to ISE which will get published to subscribes such as FTD today which includes the IP and port range assigned to connecting client, but Passive ID does not currently instantiate a session with SGT mapping.  EasyConnect provides this (RADIUS authorization with optional SGT) for wired clients today when Passive ID method is WMI.

Please suggest if there is any support for the VDI infra with Cisco ISE, we need to test few of the below used cases , we generally use Cisco Amyconnect agent with EAP-Fast/EAP-TLS however there isnt any documentation wrt to the support for VDI infrastructure.
 
Used Cases:
-User + Machine Authentication
-Posture Assessment 
 
Any pointers in the matter would be helpful!!

Note that there is also the TS-Agent that will send Passive ID info from term server to ISE which will get published to subscribes such as FTD today which includes the IP and port range assigned to connecting client, but Passive ID does not currently instantiate a session with SGT mapping.  EasyConnect provides this (RADIUS authorization with optional SGT) for wired clients today when Passive ID method is WMI.

Do you have any updates on development of that agent sitting on Citrix servers?

Latest information from the Product Manager:

 

"We're collecting customer information to enrich the business justification that we're putting together to secure funding to complete the project.

Is there any information you can share about the customer (number of users, Microsoft Server version XenApp/Desktop version, deal value,..) or the partners interest (is the partner seeing a demand for this)?"

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: