Friday, July 6, 2018

ISE Trial and Wireless Design

TLDR: I'm trying to find out what other universites might be doing for BYOD wired/wireless access, especially in dorms, and for the staff/faculty/student general wireless. I'm mostly looking for answers with Cisco ISE but I'd certainly be interested in hearing from people using other products since the design part should be mostly universal.

I'm doing a 90 Cisco ISE trial to see what else is out there in the NAC world. I've seen lots of other great suggestions on this subreddit and I may look at some of those as well but I wanted to start with ISE as we're also in the early stages of evaluating the pros/cons of SD-Access. Here is the current setup with our existing NAC:

  • Cisco WLC
  • Mostly Cisco 2960-X for Layer 2 with a few spots with 3rd party switches
  • Three basic use cases (all captive portal/RADIUS is connected to AD which all of our staff, faculty, and students are in):
    • Dorm access (wired and wireless) with a captive portal using RADIUS and MAB. These networks see all sorts of consumer/home devices.
    • Academic wireless which allows staff/faculty/students to log in to a captive portal using RADIUS and MAB.
    • Guest wireless which doesn't require any sign-in or registration but still flows through our NAC in case we need to blacklist a MAC. Once a user has signed in to either the dorm or academic wireless, they can no longer use Guest.
  • Both the above mentioned dorm and academic networks have posture enforcement for Windows and OSX that includes things such as making sure OS is patched, AV installed/updated, proper DNS set, P2P programs not running, etc. Posture enforcement is accomplished via a service that runs on the client computer
  • ACLs are really simple now and basically give everyone the same amount of access and we do the rest of our access control at our centralized firewall.

What we like on our current setup:

  • User identity capture on as many devices as possible on networks other than guest
  • Device history/data

What we don't like:

  • No IPv6
  • Posture enforcement in dorms seems like a lot of effort for little gain and nobody really likes installing the client (I know we lose some device data without the client)

To start on this ISE trial, I've created a Guest Hotspot portal to recreate the guest access we currently have with the addition of an AUP page they have to click through. I haven't added the block for registered users yet but the rest seems to work fine.

I'm kind of stuck on the rest... should the dorm networks be set up as more Guest portals or BYOD (since ISE has different configs for each)? If BYOD, should we go towards full 802.1x cert provisioning with MAB as a backup (keeping in mind we'd probably try to use native supplicants)?

Same questions for the Academic wireless... I'm also wondering whether posture enforcement makes more sense here, however, it's a lot of money to pay for Anyconnect user licenses, at least with our current design where we access control at the firewall level.

Multiple SSIDs or just one for everywhere and use ISE profiling and user identity to sort it all out?

I also rather like the idea of having a My Devices portal each user could go to and add/modify/remove devices to their account for access but I'm not sure this is really designed to work with ISE guest setup or requires BYOD.

Setting up Eduroam might be something I look at as well.

Excited to hear what other universities with on-campus housing are doing!



No comments:

Post a Comment