Solved: Fully functional ISE for heterogenous

ymadheka · ‎02-22-2018

Hi Team,

We have received query from customer who are getting merged into other organizations and wants to implement NAC in the environment as below:

Environment: As it is all merger case, not acquisition hence every A, B, C company will use it's product, management is also different. Security policy will be same but as A, B, C etc. will sit together with flexibility and access their individual server and also each other server. So there will some security compliance server which will ensure the total security policy and then only allow the workstation to access the resources as per it's profile. Company A/B/C have their own domain server, patch server and AV server. The requirement is that whenever a user is trying to get connected to the network he will identified first which company he belongs to, then based on his credentials he will get access.

Requirements:

A company employee will access A company server and also few employee of A will access B & C company some servers, and the same is applicable to "B" company and "C" company...also..and all access has to be passed through all type of required security. Because employees of "B" & "C" company are intruders to "A" company and the same is applicable to vice versa.
Any employee of any company can sit any where and he will get his profile base access with all type of security protection.

Basically the requirement is that any employee of any company will sit anywhere in the organization with controlled secure access to each other's resources.

Does anyone have a experience of deploying ISE is such a environment?

Thanks in advance for any help here.

Thanks & Regards,

Yogesh Madhekar

kthiruve · ‎02-23-2018

Hi Yogesh,

Here are couple of options.

1. Have you thought about using Trustsec. This can be easily solved with Trustsec, by knowing employee group of Company A, B, C

ISE supports upto 50 AD domains. So if you have say 3 companies in your case, you need to add all the three AD domains in ISE and whitelist them for authentication.

Do not use NDG in policy, since they seem to use common infrastructure.

Create SGT’s for different employees in company A, B, C. For example

Company A has SGT1-50, Company B has SGT51-100 and so on and configure policies in ISE, based on the user role. Define the policy matrix

You can also use multiple Trustsec matrix that is a concept introduced in ISE 2.2.

Please see the scale limits of Trustsec SGT and SGACL in ISE

https://communities.cisco.com/docs/DOC-68347

2. SDA would be a better solution, where it fits in a automated solution of macro-segmentation between companies using Virtual Networks and Micro-segmentation between employees using Scalable group tags.

However the fact that any employee can sit anywhere makes this a little hard. But you can also have 1 single VN and use micro-segmentation alone. Long term this would be a good choice.

3. Another way is to have 1 ISE cube for few companies, depending on the location, complexity, number of endpoints etc. Still you need to use Trustsec for enforcement to satisfy your needs easily.

Hope it helps.

Thanks

Krishnan

View solution in original post

kthiruve · ‎02-23-2018

Hi Yogesh,

Here are couple of options.

1. Have you thought about using Trustsec. This can be easily solved with Trustsec, by knowing employee group of Company A, B, C

ISE supports upto 50 AD domains. So if you have say 3 companies in your case, you need to add all the three AD domains in ISE and whitelist them for authentication.

Do not use NDG in policy, since they seem to use common infrastructure.

Create SGT’s for different employees in company A, B, C. For example

Company A has SGT1-50, Company B has SGT51-100 and so on and configure policies in ISE, based on the user role. Define the policy matrix

You can also use multiple Trustsec matrix that is a concept introduced in ISE 2.2.

Please see the scale limits of Trustsec SGT and SGACL in ISE

https://communities.cisco.com/docs/DOC-68347

2. SDA would be a better solution, where it fits in a automated solution of macro-segmentation between companies using Virtual Networks and Micro-segmentation between employees using Scalable group tags.

However the fact that any employee can sit anywhere makes this a little hard. But you can also have 1 single VN and use micro-segmentation alone. Long term this would be a good choice.

3. Another way is to have 1 ISE cube for few companies, depending on the location, complexity, number of endpoints etc. Still you need to use Trustsec for enforcement to satisfy your needs easily.

Hope it helps.

Thanks

Krishnan

ymadheka · ‎02-26-2018

Hi Krishnan,

Thanks for the reply.

Kindly advise on the below:

· Although I don’t have a expertise on Trustsec but as I understand the ability to use SGT for identifying and enforcing policies for the employees for different organizations is dependent on the networking infrastructure for compatibility. Currently we don’t have the exact idea about the switching details of the other organization is there anything specific to be checked to satisfy the stated requirement of customer?

· In case the domains don’t have any trust for now do we need to install separate instances of PAN for adding these domains?

Thanks & Regards,

Yogesh Madhekar

Cisco Systems India

H/ P : +91 99308 63027 | Desk: +91 22 40011205 | ymadheka@cisco.com<mailto:ymadheka@cisco.com>

kthiruve · ‎03-08-2018

Hi Yogesh,

I just saw your responses. Sorry couldnt get back before.

For Trustsec here are the resources

TrustSec Compatibility: http://cs.co/trustsec-compatibility

TrustSec Resources: http://cs.co/trustsec-resources

ISE supports 50 domains for the entire deployment which means PAN or PAN in HA mode.

Here is the ISE Compatibility Guides: http://cs.co/ise-compatibility

-Krishnan