Phased Deployment of ISE
à
By default when we enable MAB/802.1x on the port facing to the supplicant all
the network access (DHCP, DNS etc.) is restricted before allowing access.
à
Only EAPOL traffic is allowed by default before authentication.
à
After successful authentication, network access is given based upon permissions
specified in ISE authorization policy.
à
Default network access creates Implementation issues, if something is misconfigured
then users can loose network access.
à
Phased Deployment is created by Cisco to easily implement MAB/802.1x, from
users point of view implementation is transparent.
à
Phased Deployment is done in three phases
i)
Monitor Mode
ii)
Low Impact Mode
iii)
Closed Mode
Monitor Mode
à
This is the first phase of ISE implementation.
à
The main purpose of this mode is to test authentication functionality.
à
In this phase we do three things
i)
Configure Supplicant on the
End device
ii)
Configure Authentication
Policies on ISE
iii)
Configure 802.1x/MAB on
Network Device ( Switch/WLAN)
à
Users will get full network access even after failed authentications.
à
By this we can simply perform troubleshooting on why authentication is failed.
à
Can be implemented by using authentication open command
on network device.
Low Impact Mode
à
This is the second phase of ISE implementation.
à
The main purpose of this mode is to test authorization functionality.
à
Need to be enabled or enter into this phase when all the users successfully get
authenticated.
à
Keep the same configuration (3 steps) as we did in Monitor mode.
à In this mode we need to configure Static ACL
that restricts network access before getting authenticated (like allow only DNS
/DHCP/EAP traffic before authentication).
à
Can be implemented by using authentication open command
on network device with Static ACL.
à
Users will get full network access even after failed authentications.
Closed Mode
à
This is the third phase of ISE implementation.
à
Need to be enabled or enter into this phase when all the users successfully get
authenticated and passed via authorization policies.
à
Authorization (Ex: ACL) is received from ISE.
à
Users won’t get network access until successfully authenticated.
à
Need to remove authentication open command.
à
Only EAPOL traffic is allowed before authentication.
Super Duper information
ReplyDelete