Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3600
Views
0
Helpful
3
Replies

ISE in a VDI Environment

halfdeadcat09
Level 1
Level 1

‎02-06-2013 09:28 AM - edited ‎03-10-2019 08:03 PM

I've done several ISE deployments with good results, but there is one environment where ISE is needed but not (yet) suitable:VDI. I have several customers who are extensivley virtualized for the desktop environment (80% or more) and who would benefit from user-based differentiated network access. For instance, Call Center users have no need to access Accounting resources. I understand where VSG fits in this picture, but that gives you VM to VM access-control. I am looking for user-based authorization. The guest VM's support 802.1x via their native suplicants.
This missing piece for this to work is 802.1x COA in Nexus 1000v, which is not available. I have not found a way around this lack. If anyone has a sugestion for implementing user authorization in a VDI environment, I would appreciate the input. Failing that, is 802.1x support in the 1000v on the roadmap?

I see that the 1000v now support SGT's. But without user authorization to assign them, this is pretty much useless.

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Ravi Singh
Level 7
Level 7

‎09-02-2013 07:53 PM

Please review the below link for ISE in VDI environment.

http://blogs.cisco.com/borderless/using-trustsec-to-simplify-virtual-desktop-infrastructure-vdi-deployment/

HTH.

0 Helpful

MARK BAKER
Level 4
Level 4
In response to Ravi Singh

‎11-08-2013 10:09 AM

Ravi,

Is 802.1x supplicant only available with the RDP display protocol? Is it not available with PCoIP?

Not all networks are SGT ready and would not be able to benefit from the capability in the document from the link you provided. Is it not possible to have downloadable ACLs enforced by the AnyConnect?

I have also been trying to find out if VM-FEX ports were capable of 802.1x and dACL, but haven't found anything that says it is supported. My thinking is that since the ports were extended from the network to VM, that it may be a possibility.

Thanks,
Mark

0 Helpful

tgrundbacher
Level 1
Level 1
In response to MARK BAKER

‎05-18-2015 02:38 AM

Hi all

 

Has there been any development in the meantime that would support authentication and tagging (or identity awareness and filtering) for PCoIP-based VDI deployments?

 

Regards

Toni

0 Helpful
Customers Also Viewed These Support Documents