Cisco Community
English
Register
Would you like to learn more about how to determine if you need an RMA? - REGISTER TODAY!
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

558
Views
10
Helpful
3
Replies
Rafael Jimenez
Enthusiast
Enthusiast
‎05-22-2020 04:06 PM
‎05-22-2020 04:06 PM

Network Access Control and cloud

I have a customer that start the journey to the cloud two years ago. 

The solution for the perimeter, ISE was selected.

Now after the covid-19, 90% of the workers will continues as teleworker. 

60% of the apps are SaaS including office 365.

Today, they don´t see the value of the ISE and the project is in standby.

My question is: is a NAC like ISE still a valid solution if today the perimeter doesn´t exits anymore?.

Thanks

3 REPLIES 3
Damien Miller
VIP Advisor VIP Advisor
VIP Advisor
‎05-22-2020 07:59 PM
‎05-22-2020 07:59 PM

This is very much opinion but here are a few things to think about.

In your scenario there are still 10% of workers that go in to an office. This means there are still offices and enterprise ports that can be exploited, ISE can still be used here.

The other initiative I have seen taking off is the concept of remote access points. Remote access points build a VPN tunnel into an enterprise headend, these have both wired ports and enterprise WLANs on them. This extends the footprint of the enterprise network in to the home, even more reason to leverage ISE for visibility and enforcement. You certainly want to know what is coming on the network in this scenario.

Another consideration could be the 40% of those apps that aren't public cloud/SaaS likely sit in enterprise private/hybrid data centers and require users or machines to VPN in. ISE can be leveraged to authenticate employees and their devices whether they are BYOD or enterprise owned. You can leverage posture assessments to ensure they meet the security policies of the enterprise, and you can grant varying levels of access based on this.
Ping Zhou
Collaborator
Collaborator
‎05-23-2020 09:23 AM
‎05-23-2020 09:23 AM

For teleworkers, we are using ISE with 3rd party Firewalls that have WiFi interfaces. Teleworkers use WiFi interfaces to access the corporate resource which are NACed by ISE, just RADIUS / EAP-TLS over WiFi.
0 Helpful
thomas
Cisco Employee
Cisco Employee
‎05-26-2020 02:04 PM
‎05-26-2020 02:04 PM

Please see Cisco's approach to Zero Trust @ https://cisco.com/go/zerotrust which will address your question at an architectural level.

ISE is a AAA server for network users (RADIUS) and network devices (TACACS), wherever they are.

  • VPN: users may now be at home now instead of the office but most likely will still need to securely connect for some apps via VPN using AnyConnect to ISE for authentication and potentially posture. ISE is licensed by active endpoints regardless of where/how they are connected: wired, wireless or VPN.
  • Wired: do you still have buildings? Do they still have IP phones? Printers? Network attached TVs or projectors? How about IOT devices in the form of elevators, thermostats, RFID/badge readers, surveillance, PoE-anything, etc.? You will probably want to ensure all access via those ports is authenticated and authorized appropriately via ISE and potentially profiled to minimize your threat surface.
  • Wireless: If you still have buildings you probably still have wireless. The first thing you do when deploying wireless is enterprise RADIUS-based authentication with ISE. You may have fewer employees in the office but you may still need to have wireless access for your guests which is also provided by ISE. And since your employees are more mobile than ever and probably using whatever device is convenient you'll want to have MDM on those devices before they get full access to your corporate data wherever it lives. MDM enforcement of MDM is also done with ISE.
  • CVO (Virtual Office): essentially a micro-branch whether with some combination of router, AP, and/or switch. You still want to authenticate your users - and their devices connecting to your CVO in their home - before allowing access to your infrastructure.
  • Network Infrastructure: as long as you still have any of the above, you will need to authenticate your network admins - or scripts/tools - for SSH/CLI access to audit who did what, when and where.

So, yes, still quite valid.

0 Helpful
Latest Contents
Azure AD SSO with multiple ISE Portals
Created by Greg Gibbs on 05-11-2021 04:11 PM
0
5
0
5
Introduction With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to leverage Microsoft Single Sign-On for multiple ISE Portals (for example Sponsor and Guest/BYOD Portals). At the time of this writing, ISE cann... view more
ISE BYOD Flow Using Azure AD
Created by Greg Gibbs on 05-10-2021 10:02 PM
0
10
0
10
IntroductionPrerequisitesConfiguration Introduction With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to create a BYOD Flow to provide Wireless network access using an employee’s Azure AD credentials. The use... view more
Cisco + Splunk Integrations Add-on List
Created by Sar on 05-07-2021 12:27 AM
0
5
0
5
The table below shows the whole Cisco Security solutions + Splunk integrations add-ons. Kindly let me know if I have missed some add-ons or if there are any new updates. Thank you!   Hope this will be helpful for everyone who is looking for Splunk in... view more
FMC API | ACP - Delete disabled rules and generate report.
Created by Anupam Pavithran on 05-06-2021 06:48 AM
0
5
0
5
A python based script to generate report if there are disabled rules under an Access Control Policy and an option to delete those rules in bulk.   Preparation Step 1 Download the script on PCStep 2 Make sure python3 is installed on PC and have reach... view more
FMC API | ACP Double logging detection and mitigation script
Created by Anupam Pavithran on 05-06-2021 06:09 AM
0
5
0
5
A python based script to generate report if there are double logging on FMC ACP (logging at beginning and end), having rule action "Allow" or "Trust". (Option1 ) Also, the logging at the begging will be disabled if logging is detected for both beginning ... view more
Content for Community-Ad