06-20-2013 02:42 AM - edited 03-10-2019 08:34 PM
Hi guys,
I have a question about ISE and Symantec SEP 11.
In my customer envrionment, they want to build a wireless byod work place. But the endpoints are installed SEP software.
Do you know the workflow for the SEP, when it check the system is not secrity then put my endpoints to the guest VLAN.
In my opinion, the endpoints should authenticationed and authorized by ISE first.
Then, the endpoints should connect to internet successfully.
Now, if the endpoints using SEP software to check the system status.
What should the SEP do if the system is not safe?
Is the SEP return a signal to Switch, let it change the Vlan configuration of the interface to the Guest Vlan ?
But this action will cause the AP disconnect to the WLC, and makes all the clients which is connect to this AP is disconnect.
Somebody knows it ?
Thank you !
06-21-2013 02:24 AM
Hi,
Could you please update how endpoints should authenticationed and authorized by ISE first ?
As per my knowledge endpoint can not authenticate with only Symantec Endpoint Protection Manager.
If endpoint is installed along with SNAC then can set the conditions, but need to check in details.
Regards,
Chetan
06-29-2013 07:24 AM
HI Chetan,
Thanks for your reply.
I've search the SEP web site and found some work flow. And I combine them to my environment.
I'm not sure it's right, the flow is:
1. Client computer connects and send logon through EAP.
2. The WLC forwards the user name and passwrod to the LAN Enforcer.
3. The LAN Enforcer forwards the username and password to the ISE server.
4. The ISE server generates and EAP challenge.
5. The LAN Enforcer receives the EAP challenge and adds the Host Integrity check.
6. The LAN Enforcer checks the Host Integrity results and forwards them to the ISE server.
7. The ISE server performs EAP authentication and sends the result to the LAN Enforcer.
8. The LAN Enforcer receives the authenticaiton result and forwards it and the action to take to the WLC.
9. If the client passes the EAP and Host Integrity challenges, the WLC allows network access.
......
But when i configure the WLC, the RADIUS server address is the ISE server ip address. That means WLC forwards the username and password to the ISE server directly, and it will not through to the LAN Enforcer.
So this is very confused me.
Do you know why?
Thank you !
Regards,
Yuxiang.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide