cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5832
Views
4
Helpful
41
Replies
Enthusiast

Ask the Expert: BYOD with Identity Services Engine

I would like to know if NIC bonding is on the road map of ISE?

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hello Sander,

To the best of my knowledge, it's not on the roadmap yet. I'd advise to get in touch with your local Cisco account/sales team and ask for an enhancement.

Thank you and best regards,

Bernardo

Enthusiast

Re: Ask the Expert: BYOD with Identity Services Engine

My customer is limited in his VM space. Although he would like to have a active/standby for his administration node, he doesn't need this for his logging. Is it recommended to roll this in production. With a limited HDD space, what would be the recommended space (300 GB?)

 

administration

 

monitoring

 

policy service

 

Machine VM   

 

primary  

 

Not enabled

 

enabled

 

Machine HW   

 

secondary

 

primary  

 

enabled

 
Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hello Sander,

If I understand correctly, you want to run the primary administration node in a VM while having the secondary administration node + primary in an appliance. Your concern is how much disk space to allocate to the primary admin VM as you're limited to 300 GB.

Both servers will run as policy nodes.

Here you can find the recommended values for ISE VM Disk size, depending on their role:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_vmware.html#wp1110217

An admin role should have at least 200 GB, a policy node 100 GB, I'd go for the full 300 GB.

Thank you and best regards,

Bernardo

Explorer

Re: Ask the Expert: BYOD with Identity Services Engine

Hello Gaspar,

I have few queries regarding ISE :

- Is ISE supporting virtual environment ?

- For the Virtual Desktop / Server will ISE help for posture assesment and enforcement?

- If new Machine is connected to network without any agent, what functions can ISE provide?

- How long it will take post installation of the Agent? Is it realtime ? is it configurable?

- What type of Notification ISE can provide in the case of no agent installed in the new Machine?

- Asset classification will be based on what? Is it based on which we have configured i.e. role, domain, IP etc ?

- Can ISE detect rougue AP ?

- Will ISE support virtual machines e.g. hypervisor?

- - If new Network device i.e. siwtch installed in network, will it automatically sync and begin working?

- ISE is capable of inteegration with Existing Symentac AV and SCCM product for the compliance?

- If agent installed, can it be possible for self-remediation ?

- No of end points supported by ISE?

- List of Third party end devices supported ?

Regards

Beginner

Ask the Expert: BYOD with Identity Services Engine

Hi Bernado

While doing eap-chaining i change vlan, when user is posture compliant, works great...

But i also use roaming-profiles.

So  when i log off, the vlan changes back to default immediately, and  syncronization off roaming-profile fails, because of the vlan change.

I tryied th set the" vlan detect interva"l in the Nag-agent to 10sec, but it didn´t change anything.

Is it possible to have the switch or Anyconnect NAM client to delay the vlan change ??

Regards Henrik

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hello Henrik,

This question is more regarding 802.1x on the switch or AC/NAM. ISE isn't involved in this process, all it does is pass the vlan id to the switch after the client authenticates ;-)

When the user logs off, as soon as the switch receives the EAPOL-Logoff it will set the vlan back to the default one. As you say, potentially delaying the logoff from AC/NAM until the roaming profile is saved might work, but I'm not aware of any way of achieving this.

A potential workaround is to allow the needed traffic to save the roaming profiles on the default vlan. But if the client isn't able to renew its IP address it would probably fail as well. Did you try this?

Regardin the vlan detect interval in the NAC Agent, it wouldn't make delay the logoff process because:

1. NAC Agent doesn't participate in the 802.1x process, only in posture (vlan assignment, eap chaining - not part of the posture process)

2. This is a timer to set how often the NAC Agent searches for a network change, so it communicates with ISE using the correct IP address.

Thank you and best regards,

Bernardo

Ask the Expert: BYOD with Identity Services Engine

Hi Bernado, I hope you're very well.

So, I'd like to know if I can achieve any level of BYOD using Cisco ISE 3315 with Basic License.

Thank you!

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hi Milton,

If by BYOD you mean automatically enrolling and provisioning different kinds of devices, then no. With a base license you wouldn't be able to profile the clients nor automatically provision them.

If you mean bringing a personal device to the corporate environment, manually configuring it to access the network and using ISE as an authentication server, then the base license would be enough.

From the ordering guide:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html

---snip---

Advanced license features include device onboarding and provisioning, device profiling, posture services

---snip---

Thank you and best regards,

Bernardo

Beginner

Ask the Expert: BYOD with Identity Services Engine

Hi Bernado,

            We are having CVP4.0(2) for our VOIP Communications, which Cisco has announced End of Life.

            We are having CCM version 7.1 and Unity VM 4.0.

            Now we need to upgrade our CVP to latest version , Please advice what will be the best solution to upgrade and renew our contract.

Thanks

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hello Syed,

This thread is for questions regarding ISE, which is a AAA server. I'd suggest either trying the voice tech forums or contacting your local Cisco partner or Cisco sales team for alternatives.

Thank you and best regards,

Bernardo

Beginner

Re: Ask the Expert: BYOD with Identity Services Engine

Hello Bernardo,

I've wondering how we can solve MAR time issue?

If we use machine authentication in authorization policies and client does not shut their computers within the MAR time, it will be a problem.

Only way I know to prevent this is AnyConnect NAM module but if customer does not use this, we can not find any solution.

How we can proceed?

Thank you.

Nurullah Kazar