cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8940
Views
4
Helpful
41
Replies

Ask the Expert: BYOD with Identity Services Engine

ciscomoderator
Community Manager
Community Manager

Read the biowith Cisco Expert Bernardo Gaspar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Identity Services Engine (ISE) and its various usage scenarios and integrations such as BYOD, Active Directory, profiling, posture and radius authentication with Cisco subject matter expert Bernardo Gaspar.

Bernardo Gaspar is Customer Support Engineer at the Technical Assistance Center at Cisco Europe especialized in wireless and authentication, authorization, and accounting (AAA). He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, NAC and Identity Services Engine as part of the escalation TAC team since 2007. He also focuses on filing technical and documentation bugs. Bernardo Gaspar holds a degree from the University of Porto.

Remember to use the rating system to let Bernardo know if you have received an adequate response.

Bernardo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, AAA, Identity and NAC discussion forum shortly after the event.

This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

41 Replies 41

S M85
Level 4
Level 4

I would like to know if NIC bonding is on the road map of ISE?

Hello Sander,

To the best of my knowledge, it's not on the roadmap yet. I'd advise to get in touch with your local Cisco account/sales team and ask for an enhancement.

Thank you and best regards,

Bernardo

S M85
Level 4
Level 4

My customer is limited in his VM space. Although he would like to have a active/standby for his administration node, he doesn't need this for his logging. Is it recommended to roll this in production. With a limited HDD space, what would be the recommended space (300 GB?)

 

administration

 

monitoring

 

policy service

 

Machine VM   

 

primary  

 

Not enabled

 

enabled

 

Machine HW   

 

secondary

 

primary  

 

enabled

 

Hello Sander,

If I understand correctly, you want to run the primary administration node in a VM while having the secondary administration node + primary in an appliance. Your concern is how much disk space to allocate to the primary admin VM as you're limited to 300 GB.

Both servers will run as policy nodes.

Here you can find the recommended values for ISE VM Disk size, depending on their role:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_vmware.html#wp1110217

An admin role should have at least 200 GB, a policy node 100 GB, I'd go for the full 300 GB.

Thank you and best regards,

Bernardo

Hello Gaspar,

I have few queries regarding ISE :

- Is ISE supporting virtual environment ?

- For the Virtual Desktop / Server will ISE help for posture assesment and enforcement?

- If new Machine is connected to network without any agent, what functions can ISE provide?

- How long it will take post installation of the Agent? Is it realtime ? is it configurable?

- What type of Notification ISE can provide in the case of no agent installed in the new Machine?

- Asset classification will be based on what? Is it based on which we have configured i.e. role, domain, IP etc ?

- Can ISE detect rougue AP ?

- Will ISE support virtual machines e.g. hypervisor?

- - If new Network device i.e. siwtch installed in network, will it automatically sync and begin working?

- ISE is capable of inteegration with Existing Symentac AV and SCCM product for the compliance?

- If agent installed, can it be possible for self-remediation ?

- No of end points supported by ISE?

- List of Third party end devices supported ?

Regards

henrikj
Level 1
Level 1

Hi Bernado

While doing eap-chaining i change vlan, when user is posture compliant, works great...

But i also use roaming-profiles.

So  when i log off, the vlan changes back to default immediately, and  syncronization off roaming-profile fails, because of the vlan change.

I tryied th set the" vlan detect interva"l in the Nag-agent to 10sec, but it didn´t change anything.

Is it possible to have the switch or Anyconnect NAM client to delay the vlan change ??

Regards Henrik

Hello Henrik,

This question is more regarding 802.1x on the switch or AC/NAM. ISE isn't involved in this process, all it does is pass the vlan id to the switch after the client authenticates ;-)

When the user logs off, as soon as the switch receives the EAPOL-Logoff it will set the vlan back to the default one. As you say, potentially delaying the logoff from AC/NAM until the roaming profile is saved might work, but I'm not aware of any way of achieving this.

A potential workaround is to allow the needed traffic to save the roaming profiles on the default vlan. But if the client isn't able to renew its IP address it would probably fail as well. Did you try this?

Regardin the vlan detect interval in the NAC Agent, it wouldn't make delay the logoff process because:

1. NAC Agent doesn't participate in the 802.1x process, only in posture (vlan assignment, eap chaining - not part of the posture process)

2. This is a timer to set how often the NAC Agent searches for a network change, so it communicates with ISE using the correct IP address.

Thank you and best regards,

Bernardo

Hi Bernado, I hope you're very well.

So, I'd like to know if I can achieve any level of BYOD using Cisco ISE 3315 with Basic License.

Thank you!

Hi Milton,

If by BYOD you mean automatically enrolling and provisioning different kinds of devices, then no. With a base license you wouldn't be able to profile the clients nor automatically provision them.

If you mean bringing a personal device to the corporate environment, manually configuring it to access the network and using ISE as an authentication server, then the base license would be enough.

From the ordering guide:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html

---snip---

Advanced license features include device onboarding and provisioning, device profiling, posture services

---snip---

Thank you and best regards,

Bernardo

pathfindertech
Level 1
Level 1

Hi Bernado,

            We are having CVP4.0(2) for our VOIP Communications, which Cisco has announced End of Life.

            We are having CCM version 7.1 and Unity VM 4.0.

            Now we need to upgrade our CVP to latest version , Please advice what will be the best solution to upgrade and renew our contract.

Thanks

Hello Syed,

This thread is for questions regarding ISE, which is a AAA server. I'd suggest either trying the voice tech forums or contacting your local Cisco partner or Cisco sales team for alternatives.

Thank you and best regards,

Bernardo

nurullahkazar
Level 1
Level 1

Hello Bernardo,

I've wondering how we can solve MAR time issue?

If we use machine authentication in authorization policies and client does not shut their computers within the MAR time, it will be a problem.

Only way I know to prevent this is AnyConnect NAM module but if customer does not use this, we can not find any solution.

How we can proceed?

Thank you.

Nurullah Kazar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: