Looking for some advice on Implementing NAC across the enterprise. The environment uses laptops, desktops and thin-clients (Vmware VIEW, VDI) which connect to ESX servers where the actual machines reside (running Windows 7 and Windows XP operating systems).
So the question is can I use NAC server to posture assess/authenticate the thin-clients users?
This is what I am thinking:
·NAC – OOB would not be supported in this design since the ESX connection to the switch would be a trunk link. Also the thin-client connection to the switch also always stays up.
·NAC – Inband would be supported but could potentially be a bottle neck because the customer has a 10 gig backbone network.
I am thinking if I can use two different NAC appliances as part of the solution.
·Use one appliance in Inband mode and use it for the ESX servers. Use the profiler to exempt the thin-clients from authentication since they basically have nothing running on them and they cannot authenticate to the NAC server.
·The second NAC appliance will be configured as Out of Band and all the remaining regular users (with physical laptops, desktops) gets authenticated to this NAC server.
This way the NAC bottleneck would only be limited to the thin-clients users who connect to the VM’s running on the ESX server.
Is this a viable option for NAC’ing the VM clients running on ESX servers.
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...
Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli...
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA:
Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvement...
This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE.
Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarm...