Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1655
Views
0
Helpful
10
Replies

ISE profiling need answer

Go to solution
yong khang NG
Level 5
Level 5

‎11-26-2011 05:11 AM - edited ‎03-10-2019 06:34 PM

Hi Forumers'

I looking some answer regarding ISE profiling.

I able to use ISE to test 802.1x wireless connection to Active Directory External indentity store.

Somehow for ISE, after enable the profiling configuration on deployment  nodes, as long as the device with proper authentication and get into the  network will then shown all the MAC address that can be found on  Identity Management > identities> endpoints

My question is:

01. Can i done 802.1x authentication without using external identity  stores? So far i only test on using Active Directory but not with ISE  identities>users.

02. If in a environment that not using external identity stores for  authentication, how do i able to know the MAC address is belonging to  WHOM?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to yong khang NG

‎11-27-2011 11:18 PM

WPA-PSK terminates at the controller, there is no radius since the key has to match on the client and the controller. There isnt a yes or a no to this questions since the design of WPA-PSK doesnt utiilize a backend service.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎11-26-2011 08:46 AM

Please see my answers inline:

I looking some answer regarding ISE profiling.

I able to use ISE to test 802.1x wireless connection to Active Directory External indentity store.

Somehow  for ISE, after enable the profiling configuration on deployment  nodes,  as long as the device with proper authentication and get into the   network will then shown all the MAC address that can be found on   Identity Management > identities> endpoints

My question is:

01. Can i done 802.1x authentication without using external identity   stores? So far i only test on using Active Directory but not with ISE   identities>users.

Here is a guide that has the protocols that are supported by the ISE internal user database:

http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_man_id_stores.html#wpxref86403

02. If in a environment that not using external identity stores for   authentication, how do i able to know the MAC address is belonging to   WHOM?

You will not know which mac address belongs to which user, you will have to place your users in a specific group and have your authorization profile the devices based on the endpoint group and user group condition before they are granted access to the network. Endpoints only appear as the device type after they meet the certaintity that you have specified.

I hope this helps,

Tarik Admani

Thanks

0 Helpful

Go to solution
yong khang NG
Level 5
Level 5
In response to Tarik Admani

‎11-27-2011 09:09 PM

Hi Tarik,

Thanks for reply.

quick one

1. is ISE only design to support 802.1x? can it support on WPA2+PSK normal wireless authentication?

thanks

Noel

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to yong khang NG

‎11-27-2011 11:18 PM

WPA-PSK terminates at the controller, there is no radius since the key has to match on the client and the controller. There isnt a yes or a no to this questions since the design of WPA-PSK doesnt utiilize a backend service.

0 Helpful

Go to solution
yong khang NG
Level 5
Level 5
In response to Tarik Admani

‎11-29-2011 08:38 PM

Thanks for the reply, your statement make me clear now

thanks again

0 Helpful

Go to solution
JHILL2
Level 1
Level 1
In response to Tarik Admani

‎08-01-2012 02:37 PM

Hi,

I want to resurrect this thread

If we have Use Cases that require WPA-PSK, will we be forced to point this traffic through the legacy NAC in-band appliances for proper authorization? 

The devices that use WPA-PSK are legacy devices that don't support 802.1x, but we'll need a way to ensure that the devices connecting to the WPA-PSK enabled SSID are approved devices.

So, in a nutshell, the devices for this Use Case will have to be profiled and authorized based on device type or MAC address.

Any other ideas out there besides NAC?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to JHILL2

‎08-01-2012 05:46 PM

You can use ISE. It allows control using a web portal so users can log in, authenticate, and you can distribute the agent for device posture. In this case you don't have to worry about Psk, you can use l3 web authentication and radius. You no longer have to place a device inline like you did in the Nac days. When a user is not compliant, ISE will send redirect acls to controller, where all traffic is redirected, then it uses coa to lift the redirection policy once the endpoint is compliant.

Thanks,

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
JHILL2
Level 1
Level 1
In response to Tarik Admani

‎08-01-2012 10:05 PM

This means that I would have to use port 80.  I will not have that option with these endpoints.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to JHILL2

‎08-01-2012 10:11 PM

Lets take a step back, do you have a mix of dot1x capable and not dot1x machines?

Keep in mind that layer 3 authentication goes through the controller, so essentially the controller is what allows the web authentication go through and hit the ise node.

I dont understand why you would need port 80, the authentication is done through port 8443 so it should bypass any wccp or web related access-lists.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
JHILL2
Level 1
Level 1
In response to Tarik Admani

‎08-02-2012 07:05 AM

Thanks Tarik,

So even if the port is 8443, these endpoints cannot open a browser.   Think of the endpoints being more like a wireless barcode scanner or a wireless printer.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to JHILL2

‎08-02-2012 07:42 AM

Thanks for the clarification James.

You can then use mac filtering in order to authenticate the devices. You can use dhcp options, and the MAC vendor in order to build a policy and dynamically assign these devices to a vlan.

I hope that helps.

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents