cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
821
Views
0
Helpful
3
Replies

Question on Easyconnect

mcavinat
Cisco Employee
Cisco Employee

Hi Folks, i'm not very familiar yet with Easyconnect and it's limitations.

Main question is, considering the below traditional remediation actions with 802.1x, can we do ALL of them with Easyconnect?

- Shutdown on Switch port

- Change VLAN on port

- dACL on Port

- Disconnect user from VPN

- Block user on SSID with WLC

Thanks

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

You’re mixing different modes incorrectly

Easy connect is for wired use cases where customers don’t want to deploy a wired supplicant. It’s an easy way to start getting visibility and control with ISE. Still recommended to deploy 802.1x eventually as it’s more secure and recommended method.

Vlan change is not going to work correctly as this requires a supplicant to release renew the IP address. Recommendation would be to deploy segmentation using SGTs. You could use acls but they don’t scale that week compared to the tagging.

About shutting down switch port, likely through a manual COA action. What is the use case? Why would you want to instead of changing tag or acl instead?

Disconnect user on vpn, not sure what you’re tying to do as easy connect doesn’t play with vpn and same with blocking user on ssid.

View solution in original post

3 Replies 3

Jason Kunst
Cisco Employee
Cisco Employee

You’re mixing different modes incorrectly

Easy connect is for wired use cases where customers don’t want to deploy a wired supplicant. It’s an easy way to start getting visibility and control with ISE. Still recommended to deploy 802.1x eventually as it’s more secure and recommended method.

Vlan change is not going to work correctly as this requires a supplicant to release renew the IP address. Recommendation would be to deploy segmentation using SGTs. You could use acls but they don’t scale that week compared to the tagging.

About shutting down switch port, likely through a manual COA action. What is the use case? Why would you want to instead of changing tag or acl instead?

Disconnect user on vpn, not sure what you’re tying to do as easy connect doesn’t play with vpn and same with blocking user on ssid.

Jason, thanks and agreed.

This is an RFP that I'm filling and basically for each of the above situations they ask if we can do it WITH .1x and WITHOUT.

Would you agree that TECHNICALLY by NOT .1x we could interpret that for RFP purposes MAB is a possibility and then we could say "yes" to all above? I was thinking easyconnect but as this is an RFP creativity is important

The following with mab?

- Shutdown on Switch port

Yes

- Change VLAN on port

Yes but not recommended

- dACL on Port

Yes

- Disconnect user from VPN

No such mechanism.

- Block user on SSID with WLC

There are ways with profiling groups, etc that’s possible I guess