11-26-2011 05:11 AM - edited 03-10-2019 06:34 PM
Hi Forumers'
I looking some answer regarding ISE profiling.
I able to use ISE to test 802.1x wireless connection to Active Directory External indentity store.
Somehow for ISE, after enable the profiling configuration on deployment nodes, as long as the device with proper authentication and get into the network will then shown all the MAC address that can be found on Identity Management > identities> endpoints
My question is:
01. Can i done 802.1x authentication without using external identity stores? So far i only test on using Active Directory but not with ISE identities>users.
02. If in a environment that not using external identity stores for authentication, how do i able to know the MAC address is belonging to WHOM?
Thanks
Solved! Go to Solution.
11-27-2011 11:18 PM
WPA-PSK terminates at the controller, there is no radius since the key has to match on the client and the controller. There isnt a yes or a no to this questions since the design of WPA-PSK doesnt utiilize a backend service.
11-26-2011 08:46 AM
Please see my answers inline:
I looking some answer regarding ISE profiling.
I able to use ISE to test 802.1x wireless connection to Active Directory External indentity store.
Somehow for ISE, after enable the profiling configuration on deployment nodes, as long as the device with proper authentication and get into the network will then shown all the MAC address that can be found on Identity Management > identities> endpoints
My question is:
01. Can i done 802.1x authentication without using external identity stores? So far i only test on using Active Directory but not with ISE identities>users.
Here is a guide that has the protocols that are supported by the ISE internal user database:
http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_man_id_stores.html#wpxref86403
02. If in a environment that not using external identity stores for authentication, how do i able to know the MAC address is belonging to WHOM?
You will not know which mac address belongs to which user, you will have to place your users in a specific group and have your authorization profile the devices based on the endpoint group and user group condition before they are granted access to the network. Endpoints only appear as the device type after they meet the certaintity that you have specified.
I hope this helps,
Tarik Admani
Thanks
11-27-2011 09:09 PM
Hi Tarik,
Thanks for reply.
quick one
1. is ISE only design to support 802.1x? can it support on WPA2+PSK normal wireless authentication?
thanks
Noel
11-27-2011 11:18 PM
WPA-PSK terminates at the controller, there is no radius since the key has to match on the client and the controller. There isnt a yes or a no to this questions since the design of WPA-PSK doesnt utiilize a backend service.
11-29-2011 08:38 PM
Thanks for the reply, your statement make me clear now
thanks again
08-01-2012 02:37 PM
Hi,
I want to resurrect this thread
If we have Use Cases that require WPA-PSK, will we be forced to point this traffic through the legacy NAC in-band appliances for proper authorization?
The devices that use WPA-PSK are legacy devices that don't support 802.1x, but we'll need a way to ensure that the devices connecting to the WPA-PSK enabled SSID are approved devices.
So, in a nutshell, the devices for this Use Case will have to be profiled and authorized based on device type or MAC address.
Any other ideas out there besides NAC?
08-01-2012 05:46 PM
You can use ISE. It allows control using a web portal so users can log in, authenticate, and you can distribute the agent for device posture. In this case you don't have to worry about Psk, you can use l3 web authentication and radius. You no longer have to place a device inline like you did in the Nac days. When a user is not compliant, ISE will send redirect acls to controller, where all traffic is redirected, then it uses coa to lift the redirection policy once the endpoint is compliant.
Thanks,
Sent from Cisco Technical Support iPad App
08-01-2012 10:05 PM
This means that I would have to use port 80. I will not have that option with these endpoints.
08-01-2012 10:11 PM
Lets take a step back, do you have a mix of dot1x capable and not dot1x machines?
Keep in mind that layer 3 authentication goes through the controller, so essentially the controller is what allows the web authentication go through and hit the ise node.
I dont understand why you would need port 80, the authentication is done through port 8443 so it should bypass any wccp or web related access-lists.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-02-2012 07:05 AM
Thanks Tarik,
So even if the port is 8443, these endpoints cannot open a browser. Think of the endpoints being more like a wireless barcode scanner or a wireless printer.
08-02-2012 07:42 AM
Thanks for the clarification James.
You can then use mac filtering in order to authenticate the devices. You can use dhcp options, and the MAC vendor in order to build a policy and dynamically assign these devices to a vlan.
I hope that helps.
Tarik Admani
*Please rate helpful posts*
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: