Does ISE Support My Network Access Device?

 

ISE Supports the RADIUS and TACACS Protocols

 

If your network device can issue access control requests using the standard RADIUS and TACACS protocols then ISE can support it! ISE supports RADIUS to perform access control with whatever enforcement mechanisms the network device's hardware and software supports.

 

The capabilities of a given network device to do port-based access control with the IEEE 802.1X standard are software - and often hardware - dependent! Simply supporting RADIUS does not mean the network device supports many useful enforcement capabilities like MAC Authentication Bypass (MAB), RADIUS Change of Authorization (CoA) [RFC-5176], Layer-3/4 Access Control Lists (ACLs), domain-based ACLs, URL-redirection or software-defined segmentation with Cisco TrustSec. We cannot always tell you what any given network device is capable of and you may need to research that with the vendor or product team.

 

When people ask "Does ISE support my network device?" they are really asking "Can ISE give me all of these modern access control capabilities even with this old, inexpensive switch"? For these older and less expensive switches, ISE offers features like SNMP CoA and Authentication VLAN to provide some similar capabilities needed to handle Guest, BYOD and Posture flows.

 

 

ISE Compatibility Guides

 

Always check the ISE Compatibility Guides to see what our Quality Assurance (QA) team has Validated for each ISE release.

 

 

I Don't See My Hardware or Software in the ISE Compatibility Guide

 

There are many reasons why both Cisco and non-Cisco devices may not be listed:

  1. Our QA team cannot afford to test every single hardware and software combination with every ISE release
  2. New  hardware platforms must be acquired and tested which usually occurs within 6-9 months of the hardware release
  3. Every model of a hardware family are not validated - we pick one model and use that to represent the hardware family
  4. Every software release is not validated - we pick one released platform software version recommended by the platform team a few months before the actual ISE release for QA validation planning
  5. Older ISE releases will not be tested with newer Network Device software but still should per standards.

 

 

ISE Supports Protocols

 

If you do not see your specific network device hardware or software in the ISE Compatibility Guides it does not mean that it is not supported - it means that we have not validated their Capabilities with ISE!

 

Just because a hardware model or software release is not explicitly listed, does not mean that it will not work - only that we haven’t validated it with ISE! The Supported Network Access Devices section of the ISE Compatibility Guides clearly states what ISE supports:

Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication.

ISE supports protocol standards like RADIUS, its associated RFC Standards and TACACS+ .

 

If your network device supports RADIUS and/or TACACS+ then ISE can support it!

What you can do with ISE is then determined by your network device's capabilities.

 

 

Network Device Features for ISE

 

These are modern network device functions typically required to deliver ISE capabilities:

ISE Capability

Network Device Features

AAA

802.1X, MAB, VLAN Assignment, Downloadable ACLs

Profiling

RADIUS CoA and Profiling Probes

BYOD

RADIUS CoA, URL Redirection + SessionID

Guest

RADIUS CoA, URL Redirection + SessionID, Local Web Auth

Guest Originating URL

RADIUS CoA, URL Redirection + SessionID, Local Web Auth

Posture

RADIUS CoA, URL Redirection + SessionID

MDM

RADIUS CoA, URL Redirection + SessionID

TrustSec

SGT Classification

 

So what do you do if your network device does not have all of the features for the ISE capability ...

 

 

ISE NAD Profiles

 

If you have :

  • inexpensive, low-end network device hardware
  • older network device hardware
  • older network device software

then you can use our ISE Third-Party NAD Profiles and Configs or create your own custom NAD profile. Using a NAD profile, you can completely customize how ISE communicates with your network device whether it is on custom ports for RADIUS CoA or if you need to use Authentication VLANs instead of URL Redirection.

 

 

Network Device Validation Requests

 

If you do not see a particular hardware family listed and would like to suggest it, please send your validation request to surasky.