Greetings fellow packet pushers,
I typically don't see a ton of ISE posts on here, but thought I'd try to gain some insight from those who possibly have done these trials and tribulations before me. Any advice is welcome!
We've got ISE dual-georedundancy stood up, TACACS+ device admin, wireless CWA on Guest, wireless dot1x on corp SSID (using user auth validating via AD), with AnyConnect VPN Radius auth spinning up shortly, all authc/zing through ISE. No posturing yet, but once the wired side is a little more settled, I'd like to get to it.
Now we're just starting to get into the nitty-gritty of wired configuration. So far it hasn't been too hard and I've got a template stood up for Monitor Mode at a few sites running as expected (seeing correct authc/z failures/successes based on existing infra and policies), but I'm running into a wall here as far as to WHICH devices to start auth'cing with, and wanted some insight. We've got ~60 sites globally, all running on Cisco gear with a mix of 2k, 3k, 4k and 9k Cat platforms.
The biggest thing for us is the myriad of IOT across the infra, and that's where I think we'll run into trouble. See, most of our proprietary stuff relies on Android, Windows(x) platforms, Linux, and the like. I've no doubt that a lot of users have just plugged in these boxes across the infrastructure without pinging IT beforehand and just have it up and running (no port-security I know, bad network engineer, but hear me out, I inherited a lot of this.).
I've been hammering out a VLAN schema at sites that I've gone and renovated and put said boxes on that schema, but it's hard to keep up when we don't have constant eyes on a site (we're a lean team, and there's only 2.5 network engineers atm to assist in rollout/upkeep). So, for example, in ISE I'll see a ton of stuff on our user network, but because it all looks like Windows/Microsoft boxes to ISE, I've no idea if it's an actual user's machine or one of our IOT boxes spread across the infra. AND, for these boxes, I can't really add an agent or anything to differentiate, and the attributes I'm getting back are not anything I can really match on. So, right now I'm kind of paralyzed - I've got close to 14k devices across the entire infra (some if it is duplicate machines, wireless and wired NICs on one laptop, etc.) and not quite sure where to start. Do we try to hit the domain-joined machines first? Tackle the IOT boxes? Not to mention temperature sensors, custom card scanners built by a small company in who-knows-where, France, etc that have to be manually classified, etc. Working with a consulting company on the rollout, so they should have some insight, but thought I'd talk here a little bit about it as well.
End-state, ideally, is Low-Impact mode - at the end of the day, a contractor/visitor should be able to plug into our network and hit the Guest auth sequence on wired and get the appropriate dACL pushed down. For all other device types/groups, I'd like to be able to have them authc'ing in policy-sets and get regular access. And, for most of the "typical" types of devices, I've already got those policies hammered out. For domain-joined machines, Cisco IP phones, Meraki cameras, etc. across the infrastructure, I've got successful authc/z going for dot1x wired and MAB/logical profiling for the Meraki gear, printers, IP phones, and so on. We have an ELA in place where profile-based licensing isn't a big deal and I can push a GPO to all the domain-joined machines to turn on dot1x and be able to authc without an issue on wired in it's current state.
Soooo, that's kind of where I'm at atm. Not expecting any solutions, but thought I'd just throw this out there and see what came back. Thanks for reading, and I really appreciate any and all feedback.
No comments:
Post a Comment