Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
710
Views
0
Helpful
6
Replies

Cisco ISE with VPN routers(800) and wireless clients

ramesh rajendran
Level 1
Level 1

‎10-09-2014 09:06 AM - edited ‎03-10-2019 10:06 PM

Hi,

 

I am using the wireless endpoints over VPN routers(800). Cisco ISE is being used for the authentication. Dynamic authorization(second phase) doesnt kick-in for the wireless users and posture validation doesnt happen for these users. Service-type login is being used by vpn routers instead of dot1x.

Machine authentication kicks in , but not user authentication.

Anyone succeeded in implemented posture validation over vpn routers(800) for wireless users?

 

thanks,

Ramesh

Labels:
0 Helpful
6 Replies 6

nspasov
Cisco Employee
Cisco Employee

‎10-09-2014 01:50 PM

Which device (make and model) is providing the wireless services to the client(s)?

0 Helpful

ramesh rajendran
Level 1
Level 1
In response to nspasov

‎10-09-2014 03:52 PM

cisco 877

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to ramesh rajendran

‎10-09-2014 06:43 PM

I am afraid you won't be able to perform posture assessment with that hardware. You could probably get it to work with an IPEP (Inline Posture Node) but for that you will have to purchase a dedicated ISE appliance. By the time you are done doing that you would be better off getting a Cisco 2504 controller to replace the wireless functionality. The 2504 is fully supported of all ISE features so it will make your life a lot easier :)

Hope this helps!

 

Thank you for rating helpful posts! 

0 Helpful

ramesh rajendran
Level 1
Level 1
In response to nspasov

‎10-14-2014 12:48 PM

Hi Neno,

 

Router is transparent between the client(wireless client) and the server(ISE). In this case, why we need to upgrade the 877 to 2504?. 877s drop any radius attribute?.

Do you think of anyother way to implement the posture validation with 877. Customer got 100s of 877s. They already got the inline NAC. However, they want to get rid of it & replace it with Cisco ISE.

thanks,

Ramesh

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to ramesh rajendran

‎10-14-2014 12:59 PM

It is just not a supported platform. I think what it boils down to is the support for CoA (Change of Authorization) which is defined under RFC 3576 and RFC 5176. I have never worked with the 877 platform and I don't have one to test with but from what I am able to find there is either no support for CoA or it is a limited one. 

Hope this helps!

 

Thank you for rating helpful posts!

0 Helpful

Saurav Lodh
Level 7
Level 7

‎10-09-2014 05:02 PM

Please have the compatibility matrix!! See the supported Routers and Remote Access devices

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents