Is Cisco anyconnect lisence required

henryhrose · ‎04-20-2015

Hi,

I have a case where we have proposed Cisc ISE basic and advanced lincense for around 10000 users.

Customer is asking for 802.1X supplicant, we are saying to the customer that 802.1x will be taken care by the operating system and that NAC agent will take care of Profiling and posturing.

Could you please advice if 802.1x supplicant is really required for ISE deployment.

The respose is urgently awaited, could you please respond.

Pedro Lereno · ‎04-20-2015

Hi Henry,

Almost any modern operating system supports 802.1x.

The Cisco Anyconnect adds more features to it like:

"

In addition to industry-leading VPN capabilities, the Cisco AnyConnect Secure Mobility Client helps enable IEEE 802.1X capability, providing a single authentication framework to manage user and device identity, as well as the network access protocols required to move smoothly from wired to wireless networks. Consistent with its VPN functionality, the Cisco AnyConnect Secure Mobility Client supports IEEE 802.1AE (MACsec) for data confidentiality, data integrity, and data origin authentication on wired networks, safeguarding communication between trusted components of the network.

"

The transcript was extracted from:

http://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/datasheet-c78-733184.html

Where you can check if these security features are needed for your client.

Regards,

Pedro Lereno

henryhrose · ‎04-20-2015

Dear Pedro,

Thanks for the timely help, could u plz elaborate more on providing a single authentication framework to manage user and device identity.

Regards,

Henry

henryhrose · ‎04-20-2015

Thanks Pedro for the timely help.

Could you please help me understand the following:-

1) Providing a single authentication framework to manage user and device identity

2) Cisco AnyConnect Secure Mobility Client supports IEEE 802.1AE (MACsec) for data confidentiality, data integrity, and data origin authentication on wired networks, safeguarding communication between trusted components of the network. Does it mean that MACsec is possible only with anyconnect and the encryption is between the wired users and which component.

Would be of great help if you can provide me more light on the above mentioned points.

Regards,

Henry Rose

Pedro Lereno · ‎04-20-2015

Hi Henry,

1) For example, if you have to manage Linux, Windows and MacOS clients, you have a different 802.1x software solution for each. As Anyconnect supports the 3 OS clients you only have to manage a single software framework for authentication.

2) MacSec is like a vpn at layer2. You can encrypt traffic from the host pc to the switch, and from switch to switch. I think for now you will need Anyconnect for MacSec on a Windows pc. There is project for MacSec on Linux. Maybe Microsoft is developing it for Windows 10.

Regards,

Pedro Lereno

henryhrose · ‎04-20-2015

Dear Pedro,

Thanks for the clarification, just 1 last query, if i run 802.1x from the OS, do i need to do some configurations on the ISE, i understand that the OS will take care of 802.1x hence there is no configuration to be done on ISE.

Am i correct.

Pedro Lereno · ‎04-20-2015

Hi,

On the ISE you need to configure the policies (maybe with Active Directory integration or ldap) and the access rules.

This article may be useful to configure the network for authentication:

https://supportforums.cisco.com/document/124301/8021x-using-cisco-ise

Regards,

Pedro Lereno