Lab Minutes Forum

Technical Discussion => Security => Topic started by: achelovekov on December 23, 2013, 05:37:29 AM

Title: ISE 1.2 and NAC Protocols
Post by: achelovekov on December 23, 2013, 05:37:29 AM

Hello!
Question 1:
Within Cisco ISE 1.2 NAC deployment (with 802.1x), which protocols are used for delivering posture status to ISE posture service, and how ISE can delivery policy to switch.
Please, clarify the full flow of operation with Posture Agents and ISE

Question 2:
As Cisco NAC Appliance is used for NAC purposes, we no longer need to use 802.1x (am i right?). So by which means and protocols NAC Agents send and receive posture information?

As a read, SWISS protocol is used for Agents management (am i right?)

Thanks in advance

Title: Re: ISE 1.2 and NAC Protocols
Post by: MC on December 23, 2013, 05:57:51 AM

1. Can't seem to find a Cisco doc that explain this fully but the ideas are
     - Client pass RADIUS authen (802.1x or MAB) and ISE send posture redirect URL
     - NAC Agent goes through server discovery. Here is more info       http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bec10c.shtml
     - NAC Agent goes through posture assessment while in communication with ISE over SWISS
     - Client pass/fail assessment and ISE return appropriate authorization profile via RADIUS to switch/WLC

2. NAC Agent is not a replacement of 802.1X supplicant (at least until it gets rolled into the AnyConnect client). As explained above, authentication and posture assessment are two separate processes.