Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
985
Views
0
Helpful
2
Replies

ISE and Symantec SEP 11 Interworkering Question

yuxiang zhou
Level 1
Level 1

‎06-20-2013 02:42 AM - edited ‎03-10-2019 08:34 PM

Hi guys,

I have a question about ISE and Symantec SEP 11.

In my customer envrionment, they want to build a wireless byod work place.  But the endpoints are installed SEP software.

Do you know the workflow for the SEP, when it check the system is not secrity then put my endpoints to the guest VLAN.

In my opinion, the endpoints should authenticationed and authorized by ISE first.

Then, the endpoints should connect to internet successfully.

Now, if the endpoints using SEP software to check the system status.

What should the SEP do if the system is not safe?

Is the SEP return a signal to Switch, let it change the Vlan configuration of the interface to the Guest Vlan ?

But this action will cause the AP disconnect to the WLC, and makes all the clients which is connect to this AP is disconnect.

Somebody knows it ?

Thank you !

Labels:
0 Helpful
2 Replies 2

Chetan Savade
Level 1
Level 1

‎06-21-2013 02:24 AM

Hi,

Could you please update how endpoints should authenticationed and authorized by ISE first ?

As per my knowledge endpoint can not authenticate with only Symantec Endpoint Protection Manager.

If endpoint is installed along with SNAC then can set the conditions, but need to check in details.

Regards,

Chetan

0 Helpful

yuxiang zhou
Level 1
Level 1
In response to Chetan Savade

‎06-29-2013 07:24 AM

HI Chetan,

Thanks for your reply.

I've search the SEP web site and found some work flow. And I combine them to my environment.

I'm not sure it's right, the flow is:

1. Client computer connects and send logon through EAP.

2. The WLC forwards the user name and passwrod to the LAN Enforcer.

3. The LAN Enforcer forwards the username and password to the ISE server.

4. The ISE server generates and EAP challenge.

5. The LAN Enforcer receives the EAP challenge and adds the Host Integrity check.

6. The LAN Enforcer checks the Host Integrity results and forwards them to the ISE server.

7. The ISE server performs EAP authentication and sends the result to the LAN Enforcer.

8. The LAN Enforcer receives the authenticaiton result and forwards it and the action to take to the WLC.

9. If the client passes the EAP and Host Integrity challenges, the WLC allows network access.

     ......

But when i configure the WLC, the RADIUS server address is the ISE server ip address. That means WLC forwards the username and password to the ISE server directly, and it will not through to the LAN Enforcer.

So this is very confused me.

Do you know why?

Thank you !

   

Regards,

Yuxiang.


0 Helpful
Customers Also Viewed These Support Documents