Solved: Which way to enforce policy for endpoint from gateway router ins

Hiep Nguyen · ‎03-21-2013

Dear team,

I am proposing ISE to customer. They want to deploy ISE as central authentication and policy point for users in branches. I would like to ask if this scenario is possible or not:

- When user client is plugged into access switch, the switch will use 802.1x or MAB in switch port

- After authentication, as normal method, we will push a dACL or VLAN change from ISE to switch in authorization statements. But customer dont want to apply port ACL on switch. They want to enforce policy from the gateway Router.

So is there any way to do that? I'm thinking about SGT but I dont have any experience on it. Please help to solve this problem. Thank you very much.

Kind regards,

Hiep Nguyen.

Tarik Admani · ‎03-21-2013

Hiep,

You can use authentication proxy to push ACLs for users on the router. However the port based ACL is your best approach because you can determine authorization at the port level and if the user moves so does the policy.

thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Tarik Admani · ‎03-21-2013

Hiep,

You can use authentication proxy to push ACLs for users on the router. However the port based ACL is your best approach because you can determine authorization at the port level and if the user moves so does the policy.

thanks,

Tarik Admani
*Please rate helpful posts*

Hiep Nguyen · ‎03-26-2013

Thank you Tarik for your guidance.

Which way to enforce policy for endpoint from gateway router instead of switch