Solved: Unique NAC Solution using ISE

Hemant Bharati · ‎10-11-2016

My customer is a Core Banking Solution provider they manage the DC service and the branches are managed by Banks.

Customer is looking for NAC solution which can be implemented in the DC without touching the branches.

I am looking for pointers on how can we use ISE to only allow domain Users on authorized machines only.

All other personal or unauthorized laptops to be blocked.

Branches have only wired network
Branches have ISR800M routers

thomas · ‎10-17-2016

Please see the latest ISE Compatibility Guide for supported network access devices.

ISR 8xx have relatively poor ISE feature support on switchports beyond basic 802.1X and TrustSec:


ISR 88x, 89x Series	IOS 15.3.2T(ED)	√	!	X	!	X	X	√

If they don't own/manage the ISR800's it doesn't really matter since you will have no way to configure and manage the endpoint at the edge 8-(

View solution in original post

hslai · ‎10-13-2016

Use AD as the ID sources and check AD group memberships to allow only domain users. Use ISE profiling and/or ISE posture to enforce on authorized machines. If Windows, then it's possible to use EAP Chaining to check both user and machine identities via EAP-FAST. Another option is to use CWA chaining.

Hemant Bharati · ‎10-13-2016

Hi

Will this work without any control on access switches? Customer wants the solution to work with end user machines only and ise being deployed at data center

The branch network is not under his control

thomas · ‎10-17-2016

Please see the latest ISE Compatibility Guide for supported network access devices.

ISR 8xx have relatively poor ISE feature support on switchports beyond basic 802.1X and TrustSec:


ISR 88x, 89x Series	IOS 15.3.2T(ED)	√	!	X	!	X	X	√

If they don't own/manage the ISR800's it doesn't really matter since you will have no way to configure and manage the endpoint at the edge 8-(