03-19-2019 06:48 AM - edited 03-19-2019 06:54 AM
Hi,
It seems that I will be using native supplicant for my machine and user authentication because of licensing with AnyConnect NAM.
Anyway, based on the design, once a successful machine authentication the endpoint will be placed into a machine VLAN (like a landing VLAN which have a limited access) then once a successful user authentication, the endpoint will be placed into the user VLAN which has access for everything.
Here is my concern, I believed that ISE does not send CoA after user authentication meaning, the endpoint is still in the machine VLAN with the same IP. How to overcome this scenario? Or what should be the best approach for this one?
Thanks
03-19-2019 07:27 AM
Doing a VLAN switch after the initial connection is always tough and something I wouldn't attempt. If you really set on trying it you could do an autosmart port that would bounce the port, but then you are going to disconnect the phone if there is one.
What is the purpose of changing VLANs? The concept of VLANs for security is a bit dated (although still used heavily). You can push DACLs, SGT tags, etc. to grant different levels of access without relying on VLAN changes.
03-19-2019 09:14 PM
Hi @paul ,
It is just to simplify the use of ISE for operation purposes, the client wants to have it after a successful machine authentication to put it into a machine vlan with limited access then after a successful user authentication, put it in user vlan with full access.
Any other ways other than using auto-smart port to address my concern?
Thanks
03-20-2019 05:13 AM
I don't think the auto smart port macro will work well in this case. Part of our job as ISE consultants is to advise customers on best practices and help them avoid bad designs. What you just describes is a bad design in my opinion and I wouldn't let one of my customers go down this path.
If the device does correct computer authentication it is has proven that it is a corporate asset. Why place it in a VLAN with limited access? If they want to do some restrictions use a DACL.
03-20-2019 05:37 AM
03-20-2019 07:47 AM
hi @Mike.Cifelli , I agree with that also and at first I suggested anyconnect NAM but upon checking, the anyconnect 4.x needs now license even if I will just use the NAM module.
03-20-2019 07:55 AM
Why does the customer need to go to User authentication? Many customers just want to make sure the device that is connecting is a corporate asset. PEAP Computer authentication tells you that. If you don't have differentiated user access policies or aren't feeding user information to pxGrid connected systems then there is no reason to go to user mode authentication.
03-20-2019 08:00 AM
Hi @paul , they have user differentiated access.
03-20-2019 09:15 AM
04-02-2019 03:38 AM
@Mike.Cifelli, I was able to convinced the admin about the limitation of the MAR and now we will just be using machine authentication to determine organizational asset.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide