09-03-2020 04:51 AM
Hello All,
In preparing for an ISE deployment, i would appreciate inputs on some basics which has arised from arguments within varied factions of an IT team in our organisation.
a) ISE for Lan - ofcourse this is to prevent any non-organisational laptop from connecting to our Lan points
across office space. This will be very basic one and debate is what should happen if an unwanted laptop is put on our lan points :- should it be placed on another dummy vlan with no access at all or should it be placed on a limited access vlan? If on limited access vlan, what access at bare minimum should it have?
b) Whether to use certificates for identifying our organisation laptop when connected or should it be something else too?
Please suggest. Thank you in advance.
Solved! Go to Solution.
09-03-2020 05:24 AM
IMO the answer to question A depends on your requirements. In one customer's environment we utilize the default authz policy to allow limited access to dhcp and ISE PSNs. In this scenario we utilize a hotspot portal that essentially pops up with a splash page stating if you think you require network access please call the help desk and open a ticket. The ability for these hosts to obtain an IP and hit the portal allows minimal connectivity, but also provides context visibility for random devices connecting to the network. In this scenario you have to ensure you properly build out your policies so that legitimate hosts match prior to default policy. As for part B I think anyone would argue that using some fashion of certificate authentication is absolutely more secure than other mechanisms such as mab. In this scenario you will want to determine what supplicant you wish to use (native or anyconnect). Also, take a peek into device profiling and/or ISE posture capabilities. There are some really cool tools that can be utilized that will help strengthen security and enforce network policy. See the following for additional information:
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
https://labminutes.com/video/sec
Good luck & HTH!
09-03-2020 05:24 AM
IMO the answer to question A depends on your requirements. In one customer's environment we utilize the default authz policy to allow limited access to dhcp and ISE PSNs. In this scenario we utilize a hotspot portal that essentially pops up with a splash page stating if you think you require network access please call the help desk and open a ticket. The ability for these hosts to obtain an IP and hit the portal allows minimal connectivity, but also provides context visibility for random devices connecting to the network. In this scenario you have to ensure you properly build out your policies so that legitimate hosts match prior to default policy. As for part B I think anyone would argue that using some fashion of certificate authentication is absolutely more secure than other mechanisms such as mab. In this scenario you will want to determine what supplicant you wish to use (native or anyconnect). Also, take a peek into device profiling and/or ISE posture capabilities. There are some really cool tools that can be utilized that will help strengthen security and enforce network policy. See the following for additional information:
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
https://labminutes.com/video/sec
Good luck & HTH!
09-03-2020 05:33 AM
Hi
For point a) It varies on your security posture. You can have an auth fail VLAN that is essentially an internet only guest VLAN with a redirection to a portal to accept AUP. That means anyone who is not known will get internet - less hassle and overhead for contractors who need to call home via VPN or use SaaS applications (which is more commonly the case these days). Random people plugging into you LAN should no have intranet access. If you had a specialist contractor coming to site who temporarily needed access to your network, then create an ISE MAB policy that checks an Identity Group of MAC addresses that puts those users into an employee VLAN. It means that an IT admin could add your laptop MAC address into that Identity Group for the time you're on site, and then delete it when you leave. Alternatively (but more painful) is to ask your visitor to enable the Wired 802.1X on their laptop and then perform PEAP (and provide them with an AD account for the day).
For point b) I think TEAP is worth looking at, since ISE 2.7 and latest Windows 10 supports it. Are you talking about wired scenario? I think machine account auth is probably best, because it will perform this during boot up. Once user logs in, you don't want to perform another EAP authentication, unless you unplug from LAN (or if the laptop went into sleep mode) ... or you switch from wired to wireless and back ... it gets ugly. I have not tried TEAP, but I believe it's the answer to all our prayers :-p
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide