cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1792
Views
10
Helpful
6
Replies
Highlighted
Cisco Employee

ISE VDI Integration Guide

Hi team,

 

I know it's a recurrent topic but the only documentation we seem to have is this guide from back 2013 "Cisco TrustSec How-To Guide: Segmenting Clients and Servers in the Data Center Using the Cisco Nexus 1000V Series Switches": https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/segmenting_clients_servers_guide.pdf

Therefore, do we have any plans to validate and document the integration of ISE with other VDI solutions i.e. Citrix, VMware, Microsoft etc.. Can you please share any estimated timeline if there's one?

 

Thanks,

Oriol

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

Re: ISE VDI Integration Guide

Note that there is also the TS-Agent that will send Passive ID info from term server to ISE which will get published to subscribes such as FTD today which includes the IP and port range assigned to connecting client, but Passive ID does not currently instantiate a session with SGT mapping.  EasyConnect provides this (RADIUS authorization with optional SGT) for wired clients today when Passive ID method is WMI.

View solution in original post

6 REPLIES 6
Highlighted
Cisco Employee

Re: ISE VDI Integration Guide

Hi,

we are currently working on developing an agent to sit on windows/Citrix servers to provide the IP differentiation required for TrustSec/group based policies.

A release by the end of the year is the target.

Regards, Jonothan.

Highlighted
Advocate

Re: ISE VDI Integration Guide

Note that there is also the TS-Agent that will send Passive ID info from term server to ISE which will get published to subscribes such as FTD today which includes the IP and port range assigned to connecting client, but Passive ID does not currently instantiate a session with SGT mapping.  EasyConnect provides this (RADIUS authorization with optional SGT) for wired clients today when Passive ID method is WMI.

View solution in original post

Highlighted
Beginner

Re: ISE VDI Integration Guide

Please suggest if there is any support for the VDI infra with Cisco ISE, we need to test few of the below used cases , we generally use Cisco Amyconnect agent with EAP-Fast/EAP-TLS however there isnt any documentation wrt to the support for VDI infrastructure.
 
Used Cases:
-User + Machine Authentication
-Posture Assessment 
 
Any pointers in the matter would be helpful!!
Highlighted
Advocate

Re: ISE VDI Integration Guide

Note that there is also the TS-Agent that will send Passive ID info from term server to ISE which will get published to subscribes such as FTD today which includes the IP and port range assigned to connecting client, but Passive ID does not currently instantiate a session with SGT mapping.  EasyConnect provides this (RADIUS authorization with optional SGT) for wired clients today when Passive ID method is WMI.

Highlighted
Cisco Employee

Re: ISE VDI Integration Guide

Do you have any updates on development of that agent sitting on Citrix servers?

Highlighted
Cisco Employee

Re: ISE VDI Integration Guide

Latest information from the Product Manager:

 

"We're collecting customer information to enrich the business justification that we're putting together to secure funding to complete the project.

Is there any information you can share about the customer (number of users, Microsoft Server version XenApp/Desktop version, deal value,..) or the partners interest (is the partner seeing a demand for this)?"