11-28-2017 08:03 PM
Hi team,
I’m working with a customer who has a requirement to authenticate routers against ISE using digital certificates.
They want to ensure that any network devices such as IOS routers, switches are subjected to machine authentication using identity certificates pre-installed on the device, when these devices are deployed to their network.
In essence, the routers and switches in their deployment should authenticate themselves before being granted network access.
This requirement of theirs stems from the fact that the entire solution is being designed for the defense vertical.
Any insight on how this requirement can be met; ISE or otherwise will be much appreciated !
Solved! Go to Solution.
11-30-2017 11:09 PM
You are talking about NDAC that establishes Trustsec domain boundary.
Here is the doc for that explains nicely all about NDAC
-Krishnan
11-28-2017 11:54 PM
I dont get why the customer want this . This devices are usually add in to ise . In network device list . And for some reason authentication fail it will it will DENY ACCESS. If NAD is in deny access all endpoints will not able to have access. I think this is not recommend .And usually all Radius and Tacacs are included in triple AAA model .
Here in community we have some gurus and they will answer you but as i mention this is not good .
11-30-2017 10:38 PM
Are you talking about NEAT. Please take a look at this doc.
NEAT Configuration Example with Cisco Identity Services Engine - Cisco
-Krishnan
11-30-2017 10:49 PM
Hi Krishnan,
NEAT isn't the scenario that the customer is looking at.
From what I understand, NEAT is a 802.1x scenario where both the authenticator (IOS switch) as well as the supplicant mutually authenticate each other rather than only the supplicant being authenticated, which is normally the case.
The requirement is simply one where IOS routers, IOS switches themselves will be supplicants to the network with certificates being their 802.1x credentials (Perhaps EAP-TLS needs to be the 802.1x method?).
Regards,
Sundar
11-30-2017 11:09 PM
You are talking about NDAC that establishes Trustsec domain boundary.
Here is the doc for that explains nicely all about NDAC
-Krishnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide