Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
10
Helpful
2
Replies

network control

Go to solution
suthomas1
Level 6
Level 6

‎09-03-2020 04:51 AM

Hello All,

 

In preparing for an ISE deployment, i would appreciate inputs on some basics which has arised from arguments within varied factions of an IT team in our organisation.

 

a) ISE for Lan - ofcourse this is to prevent any non-organisational laptop from connecting to our Lan points

    across office space. This will be very basic one and debate is what should happen if an unwanted laptop      is  put on our lan points :- should it be placed on another dummy vlan with no access at all or should it be    placed on a limited access vlan? If on limited access vlan, what access at bare minimum should it have?

 

b) Whether to use certificates for identifying our organisation laptop when connected or should it be something else too?

 

Please suggest. Thank you in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-03-2020 05:24 AM

IMO the answer to question A depends on your requirements.  In one customer's environment we utilize the default authz policy to allow limited access to dhcp and ISE PSNs.  In this scenario we utilize a hotspot portal that essentially pops up with a splash page stating if you think you require network access please call the help desk and open a ticket.  The ability for these hosts to obtain an IP and hit the portal allows minimal connectivity, but also provides context visibility for random devices connecting to the network.  In this scenario you have to ensure you properly build out your policies so that legitimate hosts match prior to default policy.  As for part B I think anyone would argue that using some fashion of certificate authentication is absolutely more secure than other mechanisms such as mab.  In this scenario you will want to determine what supplicant you wish to use (native or anyconnect).  Also, take a peek into device profiling and/or ISE posture capabilities.  There are some really cool tools that can be utilized that will help strengthen security and enforce network policy.  See the following for additional information:

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

https://labminutes.com/video/sec

Good luck & HTH!

View solution in original post

2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-03-2020 05:24 AM

IMO the answer to question A depends on your requirements.  In one customer's environment we utilize the default authz policy to allow limited access to dhcp and ISE PSNs.  In this scenario we utilize a hotspot portal that essentially pops up with a splash page stating if you think you require network access please call the help desk and open a ticket.  The ability for these hosts to obtain an IP and hit the portal allows minimal connectivity, but also provides context visibility for random devices connecting to the network.  In this scenario you have to ensure you properly build out your policies so that legitimate hosts match prior to default policy.  As for part B I think anyone would argue that using some fashion of certificate authentication is absolutely more secure than other mechanisms such as mab.  In this scenario you will want to determine what supplicant you wish to use (native or anyconnect).  Also, take a peek into device profiling and/or ISE posture capabilities.  There are some really cool tools that can be utilized that will help strengthen security and enforce network policy.  See the following for additional information:

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

https://labminutes.com/video/sec

Good luck & HTH!

Go to solution
Arne Bier
VIP
VIP

‎09-03-2020 05:33 AM

Hi 

 

For point a) It varies on your security posture. You can have an auth fail VLAN that is essentially an internet only guest VLAN with a redirection to a portal to accept AUP. That means anyone who is not known will get internet - less hassle and overhead for contractors who need to call home via VPN or use SaaS applications (which is more commonly the case these days). Random people plugging into you LAN should no have intranet access. If you had a specialist contractor coming to site who temporarily needed access to your network, then create an ISE MAB policy that checks an Identity Group of MAC addresses that puts those users into an employee VLAN. It means that an IT admin could add your laptop MAC address into that Identity Group for the time you're on site, and then delete it when you leave. Alternatively (but more painful) is to ask your visitor to enable the Wired 802.1X on their laptop and then perform PEAP (and provide them with an AD account for the day).

 

For point b) I think TEAP is worth looking at, since ISE 2.7 and latest Windows 10 supports it. Are you talking about wired scenario? I think machine account auth is probably best, because it will perform this during boot up. Once user logs in, you don't want to perform another EAP authentication, unless you unplug from LAN (or if the laptop went into sleep mode) ... or you switch from wired to wireless and back ... it gets ugly. I have not tried TEAP, but I believe it's the answer to all our prayers :-p

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents