Blog index > Cisco ISE 2.1 Easy Connect - Fast Lane UK Blog
avatar

Cisco ISE 2.1 Easy Connect

September 13, 2016

One of the more complex configuration component of a Cisco ISE deployment, which possibly was a stumbling block in deciding to deploy this in a corporate network, was the configuration of 802.1x. 802.1x required client side supplicants (native or Cisco provided) to be configured, specialised switch configuration, an in-depth understanding of RADIUS protocol, all which added much complexity and time to the deployment.

With ISE 2.1 release Cisco introduced Easy Connect which enables you to easily connect users from a wired endpoint to a network in a secure manner by authenticating them through an Active Directory Domain Controller and not by Cisco ISE. Easy Connect supports wired connections using MAB, which is much easier to configure than 802.1X.

Easy Connect supports two modes, Enforcement-mode which actively downloads the authorization policy to the network device for enforcement based on the user credentials, and a Visibility-mode which ISE publishes session merge and accounting information received from the NAD device sensor in order to send that information to pxGrid.

So Easy Connect Enforcement mode process is as follows:CUFjgXYWwAAt9KH

1. The user connects to the NAD from a wired endpoint (running windows).

2. The NAD (which is configured for MAB) sends an access request to ISE. ISE responds with access, based on user configuration, allowing the user to access AD. Configuration must allow at least access to DNS, DHCP and AD. (this will be part of the pre-auth ACL)

3. The user logs in to the domain and a security audit event is sent to ISE.

4. ISE collects the MAC address from RADIUS and the IP address and domain name, as well as accounting information (login information) about the user, from the security audit event, using WMI.

5. Once all data is collected and merged in the ISE session directory, ISE issues a CoA to the NAD (based on the appropriate policy), and the user is provided access by the NAD to the network based on that policy.

Easy Connect Restrictions include:

MAC Authentication Bypass (MAB) supports Easy Connect. Both MAB and 802.1X can be configured on the same port, but you must have a different ISE policy for each service.

Only MAB connections are currently supported. You so not need a unique authentication policy for connections, because the connection is authorized and permissions are granted by an Easy Connect condition defined in the authorization policy.

Only Cisco Network Access Devices (NADs) are supported.

IPv6 is not supported.

Wireless connections are not currently supported.

This is a great feature added to ISE and one that will give corporates more confidence in deployment as the workload and complexity of ISE has now become a little less.

For further information have a look at the following link: ISE Admin guide

 

gabriel-bryson

Gabriel Bryson

Lead Security Instructor for Fast Lane UK

Tags: , , , ,

Leave a Reply

You must be logged in to post a comment.