Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
38424
Views
45
Helpful
0
Comments

Does ISE Support My Network Access Device?

thomas
Cisco Employee
Cisco Employee

‎08-17-2017 05:36 PM - edited ‎03-23-2023 12:12 PM

Contents

 

ISE Supports the RADIUS and TACACS Protocols

image.png

If your network access device can issue access control requests using the standard RADIUS and TACACS protocols then ISE can support it! RADIUS and TACACS protocol support is clearly documented in the ISE Compatibility Guides including the individual RFCs that ISE supports. Some vendors have created RADIUS Vendor Specific Attributes (VSAs) for some of their capabilities - including Cisco - and ISE has the ability to import any additional RADIUS dictionaries that you want.

image.png

 

Network Access Device Access Control Capabilities

These are modern network access device capabilities and features typically required to implement all of the modern access control scenarios available with the Cisco Identity Services Engine :

ISE Capability Network Device Features
AAA 802.1X, MAB, VLAN Assignment, Downloadable ACLs
Profiling RADIUS CoA and Profiling Probes
BYOD RADIUS CoA, URL Redirection + SessionID
Guest RADIUS CoA, URL Redirection + SessionID, Local Web Auth
Guest Originating URL RADIUS CoA, URL Redirection + SessionID, Local Web Auth
Posture RADIUS CoA, URL Redirection + SessionID
MDM RADIUS CoA, URL Redirection + SessionID
TrustSec SGT Classification

When people ask "Does ISE support my network device?", often what they are really asking "Can ISE give me all of lastest, modern, dynamic access control capabilities and segmentation even with this old, inexpensive switch"?  The answer is No. However for these older and less capable switches, ISE offers features like SNMP CoA and Authentication VLAN to provide some rudimentary capabilities for basic Guest, BYOD and Posture flows on older or less capable network access devices.

 

What are The Capabilities of My Network Access Devices?

We have conveniently documented the capabilities for Cisco hardware and software combinations in Network Access Control Capabilities of Network Devices . For all others, you will need to research this with the network device vendors' websites, product documentation, forums, etc. Sometimes you may just have to play in your lab to find out what works and what doesn't and create a Network Device Profile for the different combinations of capabilities.

 

But I Don't See My Network Device in the Compatibility or Capabilities Guides

Again, the ISE Compatibility Guides clearly states RADIUS and TACACS protocol support :

Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication.

If your network device supports RADIUS and/or TACACS+ then ISE supports it!

There are many reasons why both Cisco and non-Cisco devices may not be listed in our guides :

  1. Our QA team cannot afford to validate every single hardware and software combination with every ISE release
  2. New  hardware platforms must be acquired and tested which usually occurs within 6-9 months after the hardware release
  3. Every model of a hardware family are not validated - we pick one model and use that to represent the hardware family
  4. Every software release is not validated - we pick one released platform software version recommended by the platform team a few months before the actual ISE release for QA validation planning
  5. Older ISE releases will not be validated with newer network device software but still should work per protocol standards.

We always recommend trying your network access device hardware and software in your lab with ISE before deploying to production so you are confident that is will behave as expected.  There may be bugs in the endpoints, the network devices, or ISE.

 

ISE Network Access Device (NAD) Profiles

If you have :

  • non-Cisco hardware
  • inexpensive, low-end network device hardware
  • older network device hardware
  • older network device software

then you can use our ISE Third-Party NAD Profiles and Configs or create your own custom NAD profile. Using a NAD profile, you can completely customize how ISE communicates with your network device whether it is on custom ports for RADIUS CoA or if you need to use Authentication VLANs instead of URL Redirection.

 

How does an Authentication VLAN work?

image.png

For more information, see Third-Party Network Device Support in Cisco ISE in the ISE Administrator Guides.

 

Problems with Using Authentication VLANs

  • you cannot control multiple devices per port
  • traffic filtering is very crude with L2 VLANs - no L3/4 IP/protocol/port control except with a VACL or VRF
  • no East/West segmentation within a VLAN means malware is easily spread to other endpoints within VLANs, whether untrusted or trusted

 

Network Device Validation Requests

If you do not see a particular hardware family listed and would like to suggest it, please send your validation request to surasky.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents