How to Implement 802.1X with Cisco ISE

In any operational data network, the two high-level outcome possibilities are connectivity and isolation. If every device can connect to every other device by enabling full connectivity, networking is relatively easy to create, but inherently unsecure. If a network fully isolates all forms of traffic, it is unusable.

Between these two extremes of connectivity and isolation exists an optimal balance for any organization.

How to achieve that optimal balance by implementing 802.1X with Cisco ISE. Your first line of defense is 802.1X.

An important question to ask when dealing with a data network is where should security be applied? If an intruder or unauthorized user attempts to access a network, the best place to apply security is as close to the source as possible.

That’s exactly where the protocol 802.1X comes in.

The 802.1X protocol was specifically designed to be the first security access protocol for any type of computing device attempting to access a network, whether by a wired connection, a wireless access point, or using a virtual private network (VPN). It only functions where any user first attempts to access a network, which also means that it plays no role in the core of any network.

802.1X is a formal standard by the Institute of Electrical and Electronics Engineers (IEEE), which means that different vendors can create unique products that all work together with this common standard. It allows authenticated uses to connect appropriately to the network and unauthenticated users to be effectively isolated.

802.1X Supplicants and NADs provide the Initial Access to the Network

Outside the world of IT, the term supplicant means one who supplicates, or begs earnestly to a power or authority.

In network access with 802.1X, a supplicant is specialized software that can exist in any type of computer that allows the protocol 802.1X to connect to a network access device (NAD). An NAD could be an Ethernet switch, a wireless access point or a router that terminates a VPN. Such a device becomes an NAD when it is configured with 802.1X commands.

A supplicant is considered native if it is already installed in an operating system by the vendor. For example, Microsoft Windows 10 has a native 802.1X supplicant.

Cisco has created several 802.1X supplicant products over the years, but the most pervasive current product is Cisco AnyConnect. The term AnyConnect means that if Cisco AnyConnect is downloaded and installed on an operating system, then that device can connect with 802.1X in any way, such as wired, wireless or with a VPN.

If any type of computer does not have a native supplicant or does not support installing an 802.1X product like AnyConnect, then it has no way of accessing a network that requires 802.1X.

Most printers, cameras or video devices don’t have support for 802.1X. Common alternates to 802.1X are MAB and WebAuth. MAB is MAC Authentication Bypass that uses only the MAC address on the Ethernet device as an alternate to the username and password. WebAuth allows an accessing device that supports a web browser to login with a username and password to a web portal.

Cisco ISE

Cisco has had different RADIUS server products over the years, but the premier RADIUS server in today’s market is Cisco Identity Service Engine (ISE). ISE is a highly scalable RADIUS server with load balancing and failover server role options to over a million client logins per day.

ISE also leverages the RADIUS protocol to add several additional security features — such as identifying the details of the client and suggesting or requiring added software such as virus detection or malware prevention — to be installed on the client for authentication and authorization to different network services.

Conclusion

The security of accessing any data network grows considerably when requiring 802.1X combines with RADIUS and AAA to authenticate to ISE. The white paper How to Implement 802.1X dives deeper into the configuration.

The Global Knowledge Cisco SISE Training provides a comprehensive view of Cisco ISE.

About the author

Chris Olsen has been an IT trainer since 1993 and an independent consultant and technical writer since 1996. He has taught over 80 different IT, security, data center and telephony classes to over 15,000 students. He is a technical editor for Global Knowledge’s lab manuals and has published three books with Cisco Press, CIPT part 2 version 6 and 8 and CCNA Voice Flash Cards. He is an author and technical editor on both Microsoft OCS 2007 and 2007 R2 certification exams. He is a technical author for Cisco-certified courses. He has also authored technical exams for Cisco’s certification program. Mr. Olsen can be reached at chrisolsenchicago@gmail.com