cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2217
Views
25
Helpful
6
Replies

ISE : MAB, SoA ...

yoshipower
Level 1
Level 1

Hello,

I'd like to implement Cisco ISE on my network so that 802.1x authentication will be operationnal.

When I give a look to this document : http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html#wp55038
There's a lot of Catalyst 2950 on my network and I see that some features aren't supported on these devices : MAB, dACL, SGA.

What are the consequences of these non-supported technologies ? I've found out for instance that MAB was used to authenticate devices which doesnt allow or support 802.1x, so will the printers of my network still work ?

And what about dACL and SGA ? Are these features really useful or isn't it that bad if I can't use them ?

Thanks.

3 Accepted Solutions

Accepted Solutions

askhuran
Level 1
Level 1

Hello Yoshipower,

Catalyst 2950 does not support MAB, SGA, CWA, LWA, dACL, except that it  supports 802.1x only. So this means that you can only use dot1x  authentication but profiling, client provisioning, posture assessment,  change of authorization features are not available to you on Catalyst  2950. You have already gone through the ISE Network Component  Compatibility document.

So if you feel only user authentication fulfills your requirement you  can set up dot1x authentication but it should not be enabled on the  ports where devices like printers, IP phones, camera UPS etc are  connected. Briefly we can say that only user authentication is available

Regards,

Ashok

View solution in original post

I agree with ashok...devices such as printers and cameras don't support dot1x and they completely rely on MAB.

If you turn on dot1x and mab on the switches and set the order/priority. It will work for both the devices, one that support dot1x and other that support MAB so it will work on a failover method.

I'd say 3750 and 3560 POE are the best switches to implement flex auth that includes dot1x, MAB and web-auth.

SGA is an advanced feature and not every deployment includes this feature.

SGA Features and Terminology

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_sga_pol.html#wp1058113

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

askhuran
Level 1
Level 1

If you want to manage your limited investment you can follow a phased  implementation approach. Though it would be little laborious. You can  swap 2950 switches with 2960 or 3750 wherever you have devices like  printers. So you can connect your printers on either 2960 or 3750  switches only and PCs on 2950 switches. Then setup flexauth (MAB >  dot1x) order and priority as required, on those switches where printers  etc are connected. Jatin Katyal has righly suggested, I agree with him

With this approach, you can setup and enable all other features i.e.  profiling, client provisioning, CoA for certain identity groups which  are connected on supported switches (2960, 3750)

Note: Please make sure to review the IOS on your 2960 switches and  compare the same in “ISE Network Component Compatibility Document”

View solution in original post

6 Replies 6

askhuran
Level 1
Level 1

Hello Yoshipower,

Catalyst 2950 does not support MAB, SGA, CWA, LWA, dACL, except that it  supports 802.1x only. So this means that you can only use dot1x  authentication but profiling, client provisioning, posture assessment,  change of authorization features are not available to you on Catalyst  2950. You have already gone through the ISE Network Component  Compatibility document.

So if you feel only user authentication fulfills your requirement you  can set up dot1x authentication but it should not be enabled on the  ports where devices like printers, IP phones, camera UPS etc are  connected. Briefly we can say that only user authentication is available

Regards,

Ashok

Hello Ashok,

Thank you for your proper answer, you're really fast in this forum. My network is composed of nearly 60% of 2950 switches but there's a lot of other devices such as 2960 and 3750 switches. However, I don't have a lot of devices which don't support 802.1x auth (only a dozen of printers) so I guess I could turn off dot1x on them as you advised me.

Are the unavailable features on 2950 useful ? I mean by that that if they are really essential, I would have to invest in new switches and it's a considerable question in terms of money... I haven't deployed ISE yet so I'd like to be sure of my theorical study before going on.

Thanks a lot !

I agree with ashok...devices such as printers and cameras don't support dot1x and they completely rely on MAB.

If you turn on dot1x and mab on the switches and set the order/priority. It will work for both the devices, one that support dot1x and other that support MAB so it will work on a failover method.

I'd say 3750 and 3560 POE are the best switches to implement flex auth that includes dot1x, MAB and web-auth.

SGA is an advanced feature and not every deployment includes this feature.

SGA Features and Terminology

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_sga_pol.html#wp1058113

Jatin Katyal


- Do rate helpful posts -

~Jatin

askhuran
Level 1
Level 1

If you want to manage your limited investment you can follow a phased  implementation approach. Though it would be little laborious. You can  swap 2950 switches with 2960 or 3750 wherever you have devices like  printers. So you can connect your printers on either 2960 or 3750  switches only and PCs on 2950 switches. Then setup flexauth (MAB >  dot1x) order and priority as required, on those switches where printers  etc are connected. Jatin Katyal has righly suggested, I agree with him

With this approach, you can setup and enable all other features i.e.  profiling, client provisioning, CoA for certain identity groups which  are connected on supported switches (2960, 3750)

Note: Please make sure to review the IOS on your 2960 switches and  compare the same in “ISE Network Component Compatibility Document”

Hi back,

Here's a small update about my topic. I've talked a bit with my boss and it turns that he wants ISE to be deployed to ensure full security, which means I need to use profiling and provisioning for users to authenticate with NAC agent !

Thus, I'd like to know which features are required for my solution. What do I need : CoA,  Web Auth ? I'm a bit lost...

I'm guessing I'll have to change my old 2950, but what about my 2960, 3950, 4510 and 4507 switches ? Do they support what I want to do ?

Thank you for your help !

Yes I guess everything looks fine except 2960 doesn't support DACL.

Jatin Katyal


- Do rate helpful posts -

~Jatin
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: