Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
660
Views
0
Helpful
5
Replies

Cisco ISE 2.2

Go to solution
jm.virtual01
Level 1
Level 1

‎01-10-2019 05:57 PM - edited ‎03-11-2019 01:53 AM

Hey,

 

we have cisco ise 2.2, we have some critical devices in the network and we have profiled them. Everything is working fine. As the default nature for authentication on ise, if the end device cannot pass the authentication then it will go to the Guest VLAN. And in the Guest VLAN, the endpoint can go on the internet. But this is common for all unauthenticated end devices.

 

But I want to configure it little different way for the critical devices. If the critical devices fail to authenticate then it will go on Guest VLAN that's okay but the critical devices should not go on the internet. How can I block only a few unauthenticated devices to get internet access from Guest VLAN?

 

Thanks in Advance!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Arne Bier

‎01-11-2019 09:09 AM

@Arne Bier why wouldn't a different ACL on MAC endpoint group work? Agree SGT is the way to go but if its only a small amount of users might not be worth the effort.VLAN change is crappy but there are already port macros..

 

https://community.cisco.com/t5/identity-services-engine-ise/solution-for-change-of-vlan-for-wired-guests-using-smart-port/td-p/3432614

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-10-2019 06:01 PM

You would need to somehow identify those devices

Simplest way would be to create an endpoint group with their Mac addresses and create a rule to say:
If mab and critics devices then return a different ACL that doesn’t allow internet
0 Helpful

Go to solution
jm.virtual01
Level 1
Level 1
In response to Jason Kunst

‎01-10-2019 06:04 PM

I have already profiled them and it is working fine. But I do not know, how can I block it to get internet access from guest VLAN once the authentication failed for those endpoints.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to jm.virtual01

‎01-10-2019 06:10 PM

I think this becomes a L3 issue and no longer authentication.  If you had TrustSec then it might be trivial because you could assign an SGT to this class of user and enforce a separate ACL on the Firewall.

Perhaps the pragmatic approach is to put this class of user on a separate VLAN? At least then you have an IP source address range which you can use in your firewall/ACL rule set to block internet.  It would be the only identifier of this class of user that you have.

A third technique could be to force users through a proxy and catch them there via another round of authentication.  But that is another world of pain that I assume you want to avoid.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Arne Bier

‎01-11-2019 09:09 AM

@Arne Bier why wouldn't a different ACL on MAC endpoint group work? Agree SGT is the way to go but if its only a small amount of users might not be worth the effort.VLAN change is crappy but there are already port macros..

 

https://community.cisco.com/t5/identity-services-engine-ise/solution-for-change-of-vlan-for-wired-guests-using-smart-port/td-p/3432614

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Jason Kunst

‎01-11-2019 12:51 PM

Ah yes of course. You’re right @Jason Kunst a dynamic NAS ACL would take care of it. The client would have a default gateway, but the NAS ACL (e.g. WLC ACL ) acts as a L2 firewall and you could allow only RFC1918 subnets. That would effectively block internet

0 Helpful
Customers Also Viewed These Support Documents