collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: Transitioning ISE to Low Impact Mode  (Read 11060 times)

Offline sayre

  • Cisco Newbie
  • *
  • Posts: 3
  • Reputation: 1
  • Certification: N/A
Transitioning ISE to Low Impact Mode
« on: May 12, 2015, 06:18:10 AM »
Hello all

Please I am looking for some guidance for my ISE project here.

I have had ISE v1.2.1 running in monitor mode for a while now. There are around 50 branch offices and 300 LAN switches in the deployment. I am authenticating domain workstations and thin clients (Wyse) using dot1x via internal CA issued certificates and all other endpoints by MAB allowing ISE to auto-populate the internal endpoints store. My PSNs are not AD-joined simply because there are several AD domains in the environment with no 2-way trust. Also there are no requirements at the moment for guest wired or WLAN. By and large, there have been no issues.

I am now looking to transition the deployment to low impact mode and enforce policies to allow only corporate assets on the wired LAN. I already have network device groups with devices classified according to their deployment stages. The transition will be on a site by site basis. My initial thoughts around doing this were:

A1. use the inbuilt ip phones and AP profiles and allow matching endpoints  >> which has license implications
A2. build a whitelist with the dynamically built MAC addresses for other devices (printers and the likes)
A3. any workstations using MAB be denied access

My questions:

Q1. Is there a more elegant/dynamic way of achieving the objective of allowing only corporate assets, PCs and all, to join the network?
Q2. I know ISE will keep adding devices to the internal endpoints store as long as the RADIUS, DHCP probes are enabled on my PSNs. Does it make sense to still use the approach in A2 above?
Q3. Any other useful tips and practical insights from other people's real world experience.

Thanks
 

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Transitioning ISE to Low Impact Mode
« Reply #1 on: May 13, 2015, 09:32:31 PM »
If all you are looking to do is either permit or deny devices that are considered corporate asset, you are probably on the right track. All 802.1x capable devices should have a cert install and you can authenticate based on that. Other non-802.1x devices like printer or IP phone can be profiled and allowed access based on device type. It sounds like you already have different set of auth policy setup to switch a site from low-impact to full enforcement. You just need to make sure all MAB devices are profiled properly so they won't show up as unknown or some generic device that are denied by your authorization rule.
With that said, since you are not doing any user authentication, you will not be able to enforce different level of access based on user identity nor that you will have any record of user login activity but if those are not important to you, then you don't need to worry about it.

Offline sayre

  • Cisco Newbie
  • *
  • Posts: 3
  • Reputation: 1
  • Certification: N/A
Re: Transitioning ISE to Low Impact Mode
« Reply #2 on: May 15, 2015, 01:33:17 AM »
Thanks MC. Yes I do have the device groups and profiling all configured and working as expected - roughly 1% of devices are hitting unknown profile and I can have a go at why they are so as time goes on. And yes for the moment, user login records/activities have not been listed as requirements.

Thanks for responding and good to know I'm on the right track

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Transitioning ISE to Low Impact Mode
« Reply #3 on: May 15, 2015, 05:57:46 AM »
You would want to make sure all MAB devices on switches are accounted for and profiled properly before cutting a site over otherwise the unknown devices may be blocked. Good luck..

 

SimplePortal 2.3.7 © 2008-2024, SimplePortal