cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
745
Views
0
Helpful
2
Replies

NAC implementation

Ciscospy
Level 1
Level 1

Dear sir

 

Please let me know

 

Whether we require below features for NAC implementation and why do we require. which switch supports these features for NAC implementaion.s

1.Multidomain authentication.

2.Dynamic ACLs for switch ports.

3.Radius attribute for Captive Portal / Web Authentication redirection

4. 

2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni

Hi 

 

Let me reply to all your points: 

- Multi domain authentication is required if you have a voice device and data device connected to the same port. You want to apply different policies to those 2 devices which are for different use. There is also a multi host authentication if you have for example multiple devices connected to the same switch port. Ford multi domain, we're leveraging cdp or lldp protocol to identify voice devices.

 

- Dynamic acls. There're 2 topics here. On some devices, you need to create the acl locally on the device and push the acl name from your radius to apply this acl to a particular port or user (example for wireless controller). You have a second topic called downloadable acl. This means that you create acl on your radius server (like ISE) and you push that acl on a per authentication basis. It's the same as previously explained except that you don't need to configure those acls on every switches. You just configure them on the radius server. It's better for management for example because you maintain them on 1 central point instead of hundreds and hundreds of switches. 

 

- web auth. This allows devices not being authenticated through dot1x or mab process to get a chance to type in some credentials to authenticate and get network access (example for guest). Now you have different ways to achieve that, you can send a redirect URL directly to the switch or make (like ISE) the radius as dhcp server. There just important part in that way (dhcp) is that your radius server will be the dns server, it will intercept all dns requests from the user to make a redirect to the guest portal. This is mandatory for 3rd party switches that don't support URL redirect. 

 

All switch vendor support basic features but not advanced like port-bounce for example if you want to do CoA (change of authorization) based a device profiling. 

 

Now if i have to give you a vendor name, I'll say Cisco for sure.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Marvin Rhoads
Hall of Fame
Hall of Fame

In addition to the earlier answer you should also refer to the Cisco ISE Network Component Compatibility Guide for features vs. switch models.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/compatibility/ise_sdt.html#13367