04-20-2015 01:20 AM - edited 07-05-2021 02:58 AM
Hi,
I have a case where we have proposed Cisc ISE basic and advanced lincense for around 10000 users.
Customer is asking for 802.1X supplicant, we are saying to the customer that 802.1x will be taken care by the operating system and that NAC agent will take care of Profiling and posturing.
Could you please advice if 802.1x supplicant is really required for ISE deployment.
The respose is urgently awaited, could you please respond.
04-20-2015 03:27 AM
Hi Henry,
Almost any modern operating system supports 802.1x.
The Cisco Anyconnect adds more features to it like:
"
In addition to industry-leading VPN capabilities, the Cisco AnyConnect Secure Mobility Client helps enable IEEE 802.1X capability, providing a single authentication framework to manage user and device identity, as well as the network access protocols required to move smoothly from wired to wireless networks. Consistent with its VPN functionality, the Cisco AnyConnect Secure Mobility Client supports IEEE 802.1AE (MACsec) for data confidentiality, data integrity, and data origin authentication on wired networks, safeguarding communication between trusted components of the network.
"
The transcript was extracted from:
http://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/datasheet-c78-733184.html
Where you can check if these security features are needed for your client.
Regards,
Pedro Lereno
04-20-2015 03:33 AM
Dear Pedro,
Thanks for the timely help, could u plz elaborate more on providing a single authentication framework to manage user and device identity.
Regards,
Henry
04-20-2015 04:04 AM
Thanks Pedro for the timely help.
Could you please help me understand the following:-
1) Providing a single authentication framework to manage user and device identity
2) Cisco AnyConnect Secure Mobility Client supports IEEE 802.1AE (MACsec) for data confidentiality, data integrity, and data origin authentication on wired networks, safeguarding communication between trusted components of the network. Does it mean that MACsec is possible only with anyconnect and the encryption is between the wired users and which component.
Would be of great help if you can provide me more light on the above mentioned points.
Regards,
Henry Rose
04-20-2015 04:49 AM
Hi Henry,
1) For example, if you have to manage Linux, Windows and MacOS clients, you have a different 802.1x software solution for each. As Anyconnect supports the 3 OS clients you only have to manage a single software framework for authentication.
2) MacSec is like a vpn at layer2. You can encrypt traffic from the host pc to the switch, and from switch to switch. I think for now you will need Anyconnect for MacSec on a Windows pc. There is project for MacSec on Linux. Maybe Microsoft is developing it for Windows 10.
Regards,
Pedro Lereno
04-20-2015 06:44 AM
Dear Pedro,
Thanks for the clarification, just 1 last query, if i run 802.1x from the OS, do i need to do some configurations on the ISE, i understand that the OS will take care of 802.1x hence there is no configuration to be done on ISE.
Am i correct.
04-20-2015 08:37 AM
Hi,
On the ISE you need to configure the policies (maybe with Active Directory integration or ldap) and the access rules.
This article may be useful to configure the network for authentication:
https://supportforums.cisco.com/document/124301/8021x-using-cisco-ise
Regards,
Pedro Lereno
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide