ISE 1.3 and NAC

I have a customer running 5508 WLCs across the estate, and I'm retrofitting IEEE802.1x authentication for the corporate WLAN, and WebAuth for the Guest WLAN...they have PSK at the moment :(
They have AD and are showing great interest in ISE and NAC, so my immediate thoughts are to integrate ISE with AD, and use ISE as the RADIUS server for .1x on the WLC. Then use the WLC and ISE to do WebAuth for Guest...This is all standard stuff, but it gives the background.
Now we get to the interesting bit...they want to run BYOD. They are involved in financial markets, so the BYOD needs to be tightly controlled. They are asking about ISE coupled with NAC, but I'm not convinced I need NAC since the arrival of ISE1.3. Obviously, I will be looking at three (min) SSIDs, namely corporate, guest and BYOD, all logically separate. I don't need anything that ISE 1.2 can't support on corporate and guest, but BYOD needs full profiling and either barring or device remediation before access to the net.
Has anyone got any comments or suggestions? Is ISE 1.3 sufficiently NAC-like that I don't need it any more, or if that's not the case, what additional benefits does it bring that ISE can't support
Thanks for any advice/comments/experiences
Jim

Hi Jim-
Version 1.3 offers a built-in PKI and vastly improved guest services experience. The internal PKI is nice if the customer doesn't have an PKI solution in place. Keep in mind though that the internal ISE PKI can only issue certificates to BYOD devices that were on-boarded via the ISE BYOD "flow" So you cannot use the ISE PKI to issue certs to domain computers.
With regards to NAC: You will have to clarify exactly what is needed here. If you needed to perform "posture assessment" then ISE can do it for Windows and OSX based machines. You can check for things like: A/V, A/S, Firewall Status, Windows Patches, etc. If you want to perform posture on mobile devices then you will need to integrate ISE with an MDM (Mobile Device Management) solution such as: Airwatch, Mobile Iron, Maas360, etc. ISE can query the MDM for things like: Is the device protected with a PIN, is the device rooted, is the device encrypted, etc.
I hope this helps!
Thank you for rating helpful posts!

Similar Messages

  • ISE and NAC wireless guest networks

    I have a wireless network that is NAC controlled and use lobby ambassador for guest wireless. What is the best way to migrate to ISE for guest. Are there problems running NAC and ISE on the same controller?
    Sent from Cisco Technical Support iPad App

    Hello,
    For your query regarding ISE and NAC following are my  findings, which might help you in order to solve your query.
    for your first question:-
    ISE is a free software upgrade for customers who have NAC appliance or NAC profiler. This is for both for the base and advance licenses.
    ISE is a 50% software discount for customers who have  NAC guest server. The 50% discount is a migration part for the base license only. The advance features license will not be impacted by this discount.
    for your second question:-
    There should be no issues running NAC and ISE on the same controller until and unless you are using two SSIDs.

  • Difference between ISE and NAC?

    Dear All,
    Can you please help to understand difference ISE and NAC?
    Thank You,
    Abhisar.

    Well ISE is the next generation of NAC and has extended the features some of the comparison of features are mentioned in the given diagram

  • Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

    Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
    -My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
    -The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
    -No certificates are used.
    -I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
    -If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
    -For now I'm testing it on wired endpoints.
    Is there a way to configure ISE to fulfill the listed above requirements?
    Any ideas would be appreciated.
    Thanks,
    Val Rodionov

    Everyone who finds reads this article,
    I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
    The answer is Yes.
    After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
    ISE configuration:
    Posture General Settings - Default Posture Status = NonCompliant
    Client Provisioning Policy - no rules defined
    Posture Policy - configured per requirements
    Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
    Authorization Policies configured as regular posture policies
    The result:
    After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
    If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
    The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
    Best,
    Val Rodionov

  • ISE 1.3 and Windows Posture Web Agent

    Hello,
    I am running ISE 1.3 and have an issue running the Posture Web Agent. The client authenticates and gets redirected to the client provisioning portal but get the following message
    Detecting if Web Agent is installed and running gets ticked and then it keeps rolling at scanning your device. Open Web Agent to check the current status of the system scan and update your system as instructed.
    See attached screen shot

    is this issue specific to particular groups of clients/OS type... if using Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”)

  • ISE 1.2 and iPEP Certificate Requirements

    Hi,
    For 1.1.x version of ISE, there are some constraints regarding the certificates used for iPEP and Admin:
    Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Postur  certificate.
    [http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml]
    Does the same thing applies for iPEP in ISE 1.2? The User Guide for ISE 1.2 and Hardware Installation Guide doesn't mention anything about EKU and specific certificate attributes..
    Any thoughts?
    Thank you,
    Octavian

    The EKU validation has been removed in version 1.2
    "If you configure ISE for services such as Inline  Policy Enforcement Point (iPEP), the template used in order to generate  the ISE server identity certificate should contain both client and  server authentication attributes if you use ISE Version 1.1.x or  earlier. This allows the admin and inline nodes to mutually authenticate  each other. The EKU validation for iPEP was removed in ISE Version 1.2,  which makes this requirement less relevant."
    Source:
    http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml

  • I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

    I want to integrate SMS gateway to Cisco ISE 1.2 and my question is 
    SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor 

    I'm not sure I understand the question.  Do you want to log in to the Sponsor Portal using AD credentials?
    Create an Identity Source Sequence using AD as an Authentication Source.  Go to Administration > Identity Management > Identity Source Sequences.  Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
    Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings.  Double-click Sponsor from the Left Menu and click Authentication Source.  Choose the Identity Source Sequence.  Click Save.
    I hope this helps.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

    does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
    ciscoISE/admin(config)# snmp-server ?
      community  Set community string
      contact    Text for mib object sysContact
      host       Specify hosts to receive SNMP notifications
      location   Text for mib object sysLocation
    ciscoISE/admin(config)# snmp-server
    Ciscoacs/admin(config)# snmp-server ?
      community  Set community string
      contact    Text for mib object sysContact
      host       Specify hosts to receive SNMP notifications
      location   Text for mib object sysLocation
    Ciscoacs/admin(config)# snmp-server

    No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
     http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

  • Ise patch 1 and 2 for 1.1.4 problem with resetting-application

    Hi guys,
    For your info. ISE patch 1 and 2 got the same problem on 1.1.4. If you got patches installed and tries to reset the application of ISE the monitoring applets are all gone. It's loading an empty page. Solution: rollback any installed patches. Monitoring is back up again. Install the patches again and erverything is fine. Took me one afternoon to figure this out.

    Hi Ravi,
    Do you know, what is going wrong? I'm wondering if everything is working correctly and if patches are applied correctly.

  • Cisco ISE 1.1 and IE9

    Is anyone else having problems with ISE admin/monitoring pages not working properly under IE9?  I just completed an upgrade to ISE 1.1, and it seems more and more, when I try to manage the system with IE9, I will get the following error (host name changed to protect the inocent). I dont know if this is truly an IE9 issue, or the chrome plug-in we are forced to use.  Works perfect under Firefox 11.0.
    This webpage is not available
    The webpage at https://iseserver.domain.com/mnt/pages/dashboard/dashboard.jsp?mnt_config_write=true&token=BEGIN_TOKENXspmm4x5AwFsV6NExIBAVA==END_TOKEN might be temporarily down or it may have moved permanently to a new web address.
    Error 103 (net::ERR_CONNECTION_ABORTED): Unknown error.

    Supported Administrative User Interface Browsers
    You can access the Cisco ISE administrative  user interface using the following browsers:
    •Mozilla Firefox 3.6 (applicable for  Windows, Mac OS X, and Linux-based operating systems)
    •Mozilla FireFox 9 (applicable for Windows,  Mac OS X, and Linux-based operating systems)
    •Windows Internet Explorer 8
    •Windows Internet Explorer 9 (in Internet  Explorer 8 compatibility mode)
    Cisco ISE GUI is not supported on  Internet Explorer version 8 running in Internet Explorer 7 compatibility mode.  For a collection of known issues regarding Windows Internet Explorer 8, see the  "Known Issues" section of the Release Notes for the Cisco Identity Services  Engine, Release 1.1.

  • ISE Guest Portal and one more SSID using internal accounts

    Hi Guys,
    I have two SSIDs on WLC, the first is related with ISE Guest Portal and the second is related with employee but i realize that the
    Guest user can access the employee SSID and employee accounts can access the Guest portal page.
    I guess this is happen because i cannot split these databases under "Internal Users" on Authentication Policy.
    How can i restrict the access even if i am using the internal databse?
    thanks a lot

    using the Authorization policy is the right way.  Match the corp ID store to the corp WLAN SSID ID in the AuthZ policy, for example (where Employee is your corp ID store and yyyy is the name of your corp SSID):

  • ISE distributed environment and snmp monitoring

    - I wonder wether there are any specific MIBS dealing or supporting node statuses in a distributed ISE
    environment , I would like to be able to query the replication status of a node , using a SNMP MIB variable,
    is thos possible ?
    M.

    Not sure because I didn't find any MIB for this purpose. I have also checked in ISE 1.2 and the result was same. you can also check on this link.
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mib.html

  • CSA agent and NAC agent together

    Hi, do you have experience of CSA agent and NAC agent together on the same pc ?
    Does one include the other ?
    Which one have I to test first ?
    thank you in advance
    greatings
    RS

    Cisco Trust Agent collects security posture information from the NAC-compliant applications running on the network client and reports them to the Cisco Secure Access Control Server (ACS). These are some NAC-compliant applications:
    - Antivirus applications
    - Personal firewalls
    - Host-based intrusion protection applications, such as Cisco Security Agent (CSA)
    Cisco NAC is a strategic element of the Self-Defending Network. Working together with other Self-Defending Network components such as Cisco Security Agent and the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS), Cisco NAC helps organizations achieve more accurate threat identification and prevention while increasing patch management efficiency.

  • ISE - DHCP SPAN and DHCP Profiling

    Hi everyone,
    We're embarking on an evaluation of ISE and trying to clarify my thoughts around the DHCP based profiling probes.
    If we are using DHCP SPAN and have all DHCP traffic mirrored to ISE, should we still use IP helpers and the DHCP probe?
    I would expect if we're using DHCP SPAN and mirroring all the traffic then using the DHCP probe with IP helpers on floor switches is a little redundant.
    Thanks,
    Mark

    Hi,
    Just to add from my experience;
    I am deploying ISE for the first time, I have around 100 sites ( I only use ISE+WLC 7.3, NO WIRED).
    It's good to forward all dhcp request to ISE with IP-HELPERS before deploying.
    This is what I did with one of my sites and I had no problem when they switched over as 90% of devices were already profiles using dhcp probe
    Hope to help.
    P.s note that WLC 7.3 does send first http packet to ISE but only if you opened up safari first after authentication, if you opened any other application that uses http protocol it will send weird strings to ise, ie VIBER and so on.
    Look around i've posted a thread about it

  • Guest-Anchor-WLC and NAC integration guide

    I was trying to find some design reference for the Guest-WLC and NAC integration guide. Anyone can share some experience/cisco docs/links?

    User traffic is locally bridged on a 1030 in REAP mode so packet forwarded to the default gtw would follow the NAT rules on the firewall but the real challenge is the LWAPP control channel. In that past using 1:1 NAT I was successful with a CP firewall but I had to play tricks with the mobility group and use the FW logs to track and define the right ports.

Maybe you are looking for

  • Creative Cloud for Teams error

    The company I work for as just upgraded from single accounts to the creative cloud for teams, I use my creative cloud on my pc at work and on my mac at home for overtime. However my home mac is currently erroring with a count down message telling me

  • How to disable a particular record in a block???help

    Hi i am form in which there is a db block.the block shows 12 records at a time...also the block has 12 db items but only 8 are on the canvas..4 four of these eight items are display items My requiremnt is that if the value in..say..item_5 is 17 at an

  • I_Snap$ indexes

    In the past I have created all my read only snapshots (both in 7.3.4 and 8.1.6 databases) without qualifying the owner of the table on the remote database. We are upgrading our source database from 7.3.4 to 8.1.7. Now we MUST qualify the owner of the

  • I am trying to reinstall my AirPort Express.

    First, the computer I'm on is running on a wireless network through a Cisco router.  I am hoping to shut down that router and run though the AirPort Express.  This particular AirPort has worked in the past, but has been reset to factory settings afte

  • Re: Intermittent phone line noise

    Hi BT, I've got internmittent line noise on my line as well. The line used to be pretty good but it has been noisy intermittently over the last few years. I think it may have started when I switched to Infinity but not 100% sure. It doesn't happen at