03-05-2012 02:21 AM - edited 03-10-2019 06:52 PM
Hi all,
I have been looking in to an enterprise wide wireless solution for my company and I completely understand wireless posturing using WLC's & ISE's at our campus sites however what I am struggling to get a black and white answer for, is whether the same posturing can be done at the branch without having to tunnel all wireless traffic back to our DataCenters.
We have a number of small sites (5 - 15 users on DSL), and we do not want to tunnel traffic back due to limited bandwidth so we want to know whether using Cisco kit can help us keep the wireless traffic locally switched and still apply posturing and automatic remediation techniques.
Our Cisco partner have advised that we should use H-REAP or FlexConnect as its known now. But they advise that the drawback to this is that APs in H-REAP mode are not compatible with the ISE currently meaning that that the only way of achieving posturing is tunnelling all wireless traffic back to the DataCenter.
I thought that posturing only requires to see the report from the NAC agent on the client machines. I did not think that posturing required that the ISE actually needs to look at the clients traffic.
I can understand that maybe we will need a WLC at every site as the WLC supports the RADIUS CoA attribute, but will we need an ISE as well?
Currently, I cannot find any Cisco Wireless / ISE design examples that fit our requirements. Effectively, we have 2 datacenters and then hundreds of very small DSL branch sites, and a few bigger branch sites with 10mbps ethernet bearers. Our end goal in security is that we want to provide 802.1x authentication at the network edge both wirelessly and wired. Can Cisco kit currently do this?
I hope this all makes sense.
thanks
Mario De Rosa
03-05-2012 08:05 AM
Has any one had any experience doing NAC at branch sites either using the new ISE, or with the older NAC, CAS, ACS appliances?
03-23-2012 07:17 AM
After much digging around, I have found out that in ISE release 1.2 all H-REAP or Flex Connect APs will be able to be postured from a single central ISE in the datacenter without the need for a WLC and an ISE on every single branch site.
Effectively what happens is that when the client initially connects, all traffic is tunneled to a central WLC in the DC so that the ISE can posture assess and profile.
Once Posturing is complete, the client then turns in to a H-REAP / Flex Connect client so that traffic can be switched locally.
This is a big boost for Cisco to come up with this!
I think 1.2 is coming out in Q2 2012. cant wait!
Mario
03-24-2012 03:30 AM
This was a very interesting question. But can you explain why only ISE 1.2 will support this ? What difference does it make if the client is HREAP since, as you said, it starts as centrally switched for his authentication anyway.
I never tried this setup, so I'm interesting in finding it out.
05-12-2012 12:16 PM
Hi there,
I would be interested, if someone could post a "field" feedback with a working H-REAP design.
We are planing to implement ISE on the main-site with branches on H-REAP as well.
Thanks,
Norbert
05-14-2012 01:07 PM
I don't know the answer, but I'm guessing it has to do with the VLAN the SSID gets mapped to. Initially they would connect to a guest type VLAN that gets tunneled back to the controller and once posturing is done, it switches to a VLAN that is locally switched at the AP via H-REAP. I have a similar setup without the posturing. Trusted computers connect to an SSID at the branch that gets switched locally and Guest users connect to an SSID that maps to a VLAN that gets tunneled back to the controller for termination at a firewall interface.
06-22-2012 03:10 AM
OK,
i havent got the full answer yet as we are still testing this but essentially we want to be able to posture and remediate devices in branch sites as well as the corporate HQ.
In previous versions of the ISE, it could not do that. An ISE & a wireless LAN controller would be needed at every branch site to do this!!!
Now though, we are testing with the latest code of the WLC & ISE from Cisco. My understanding is that you can set APs to work in the traditional "Local" mode, tunnelling back to the controller & "Flex Connect" mode, which is local switching.
For Flex Connect APs, i think the initial data packets are tunneled back to the controller and postured through the ISE at the DataCenter and then once complete, the AP switches the client back to a local switched session.
Once we have tested I will let you know the results.
Mario
09-19-2012 09:54 AM
Any results?
Thanks
Norbert
Sent from Cisco Technical Support iPhone App
09-19-2012 10:06 AM
I don't know about posturing but profiling, switching vlans and all that works fine in Flex mode with ise 1.2 and wlc 7.3 (also 7.2)
On WLC 7.3 you even can build access list and define what traffic goes local and what goes back to DC if you really need that deep dive
Ise 1.1 did not support that as far as I remember.
09-20-2012 08:27 AM
Hi,
One important problem that we came up against with FlexConnect clients was that the ISE could not push an ACL when doing a CoA.
So, when a client needs to go through posture, you can push out a VLAN, and an ACL restricting network access.
BUT...
once passed posture and the ISE issues a CoA, the ISE can only push a VLAN to place the client in to. The ISE completely removes the ACL, affectively permitting complete unrestricted access to the network. Meaning that you cannot push dACL's for particular user types.
This is probably not much of an issue if you have full control and management of your own WAN. We do not, so to have VLANs added to remotes sites for particular groups of users would have cost us money every time. Plush changing any ACLs on our WAN routers would also have cost us money.
I'm not sure whether this is a Wireless Controller limitation or an ISE limitation.
Mario
09-20-2012 10:37 AM
Mario,
As you know now that flexconnect is not support for this reason. Also you conclusion with dACL and WLC is correct, unless I am missing something the dACL feature only works with ASA and the switchports (wired), all reference guides to WLC always point to assigning an ACL to a user that is defined on the controller.
I know that there is a flexconnect acl feature but nothing from the ISE world has come out and said if this is supported or somehow could be leveraged. I hope/sure that something should be coming out as flexconnect/hreap is to me the best way to go in a network simliar to yours.
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide