Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ISE with VPN routers(800) and wireless clients

Hi,

 

I am using the wireless endpoints over VPN routers(800). Cisco ISE is being used for the authentication. Dynamic authorization(second phase) doesnt kick-in for the wireless users and posture validation doesnt happen for these users. Service-type login is being used by vpn routers instead of dot1x.

Machine authentication kicks in , but not user authentication.

Anyone succeeded in implemented posture validation over vpn routers(800) for wireless users?

 

thanks,

Ramesh

6 REPLIES
Cisco Employee

Which device (make and model)

Which device (make and model) is providing the wireless services to the client(s)?

Thank you for rating helpful posts!
New Member

cisco 877

cisco 877

Cisco Employee

I am afraid you won't be able

I am afraid you won't be able to perform posture assessment with that hardware. You could probably get it to work with an IPEP (Inline Posture Node) but for that you will have to purchase a dedicated ISE appliance. By the time you are done doing that you would be better off getting a Cisco 2504 controller to replace the wireless functionality. The 2504 is fully supported of all ISE features so it will make your life a lot easier :)

Hope this helps!

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
New Member

Hi Neno, Router is

Hi Neno,

 

Router is transparent between the client(wireless client) and the server(ISE). In this case, why we need to upgrade the 877 to 2504?. 877s drop any radius attribute?.

Do you think of anyother way to implement the posture validation with 877. Customer got 100s of 877s. They already got the inline NAC. However, they want to get rid of it & replace it with Cisco ISE.

thanks,

Ramesh

Cisco Employee

It is just not a supported

It is just not a supported platform. I think what it boils down to is the support for CoA (Change of Authorization) which is defined under RFC 3576 and RFC 5176. I have never worked with the 877 platform and I don't have one to test with but from what I am able to find there is either no support for CoA or it is a limited one. 

Hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!

Please have the compatibility

Please have the compatibility matrix!! See the supported Routers and Remote Access devices

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html

141
Views
0
Helpful
6
Replies
CreatePlease login to create content