cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

283
Views
10
Helpful
3
Replies
Highlighted
Enthusiast

Network Access Control and cloud

I have a customer that start the journey to the cloud two years ago. 

The solution for the perimeter, ISE was selected.

Now after the covid-19, 90% of the workers will continues as teleworker. 

60% of the apps are SaaS including office 365.

Today, they don´t see the value of the ISE and the project is in standby.

My question is: is a NAC like ISE still a valid solution if today the perimeter doesn´t exits anymore?.

Thanks

3 REPLIES 3
Highlighted
VIP Advisor

Re: Network Access Control and cloud

This is very much opinion but here are a few things to think about.

In your scenario there are still 10% of workers that go in to an office. This means there are still offices and enterprise ports that can be exploited, ISE can still be used here.

The other initiative I have seen taking off is the concept of remote access points. Remote access points build a VPN tunnel into an enterprise headend, these have both wired ports and enterprise WLANs on them. This extends the footprint of the enterprise network in to the home, even more reason to leverage ISE for visibility and enforcement. You certainly want to know what is coming on the network in this scenario.

Another consideration could be the 40% of those apps that aren't public cloud/SaaS likely sit in enterprise private/hybrid data centers and require users or machines to VPN in. ISE can be leveraged to authenticate employees and their devices whether they are BYOD or enterprise owned. You can leverage posture assessments to ensure they meet the security policies of the enterprise, and you can grant varying levels of access based on this.
Highlighted
Collaborator

Re: Network Access Control and cloud

For teleworkers, we are using ISE with 3rd party Firewalls that have WiFi interfaces. Teleworkers use WiFi interfaces to access the corporate resource which are NACed by ISE, just RADIUS / EAP-TLS over WiFi.
Highlighted
Cisco Employee

Re: Network Access Control and cloud

Please see Cisco's approach to Zero Trust @ https://cisco.com/go/zerotrust which will address your question at an architectural level.

ISE is a AAA server for network users (RADIUS) and network devices (TACACS), wherever they are.

  • VPN: users may now be at home now instead of the office but most likely will still need to securely connect for some apps via VPN using AnyConnect to ISE for authentication and potentially posture. ISE is licensed by active endpoints regardless of where/how they are connected: wired, wireless or VPN.
  • Wired: do you still have buildings? Do they still have IP phones? Printers? Network attached TVs or projectors? How about IOT devices in the form of elevators, thermostats, RFID/badge readers, surveillance, PoE-anything, etc.? You will probably want to ensure all access via those ports is authenticated and authorized appropriately via ISE and potentially profiled to minimize your threat surface.
  • Wireless: If you still have buildings you probably still have wireless. The first thing you do when deploying wireless is enterprise RADIUS-based authentication with ISE. You may have fewer employees in the office but you may still need to have wireless access for your guests which is also provided by ISE. And since your employees are more mobile than ever and probably using whatever device is convenient you'll want to have MDM on those devices before they get full access to your corporate data wherever it lives. MDM enforcement of MDM is also done with ISE.
  • CVO (Virtual Office): essentially a micro-branch whether with some combination of router, AP, and/or switch. You still want to authenticate your users - and their devices connecting to your CVO in their home - before allowing access to your infrastructure.
  • Network Infrastructure: as long as you still have any of the above, you will need to authenticate your network admins - or scripts/tools - for SSH/CLI access to audit who did what, when and where.

So, yes, still quite valid.