Avatar

As I’ve described in my previous blogs and documents, the first capability deployed by Cisco IT for Identity Services Engine (ISE) is guest networking. Guest networking replaced an older existing solution, referred to internally as NextGen Guest Networking (NGGN). NGGN relied on about 12 servers globally and had a large access control list (ACL) to manage. Deploying guest networking on ISE is a logical first choice for three reasons: 

  • Guest access is a simple, context-aware network access capability that nearly all companies require.
  • Deploying this service is fairly simple as both an infrastructure and policy in ISE.
  • As part of the goal of Posture Enforcement in ISE deployment, enabling Guest services is a critical piece to allow devices that fail posture enforcement access to some level of connectivity.

This last bullet, an outlet for non-compliant devices, is part of the evolution of guest networking. Both Cisco IT and customers are grappling with this issue and it is one that is brought up during Cisco on Cisco engagements.

How Cisco IT approaches the deployment of capabilities with regards to ISE is a great starting point. First, Guest Networking (internally, we call this ‘Internet Only Networking’ or ‘ION’ for short). Then, 802.1X Monitor Mode and Profiling. These help us understand what’s on the network and for those that fail authentication in Monitor Mode, the ability to look at remediation. 802.1X Authenticated mode, quickly followed by Posture Assessment, is then followed up with Posture Enforcement. Posture Enforcement for Cisco IT will involve leveraging the Device Management (DM) engines for various platforms (Android, iOS, Mac, Windows, Linux) to validate if the devices are compliant or not, then communicate with ISE on allowing them access based on that outcome.

ise-blog-aug14

Figure 1: ION versus Corporate Network Services Offered

Logically, the next question in this enforcement mode is “What do you do with devices that are either not compliant, never will be compliant, or the user chooses to not make compliant?” In recent months, Cisco IT architects, design engineers, technical leadership, user experience, and others have been discussing how to shape what is now called Guest networking but is rapidly becoming a “Default” network. This term Default isn’t entirely elegant or descriptive but it is as close a description as can be done in a single word. By Default, the organization is describing what will be the medium of access for a majority of devices that are non-compliant (whether by design, choice, or need). This could include a large number of devices that fall into our Internet of Everything (IoE) universe of devices.

This evolution of Guest into the default access medium then becomes more than the name ION implies as well. For instance, when a user gets a new laptop from Cisco IT (this is a future what-if assuming Posture Enforcement is strictly enabled) that is now out of compliance for a version of anti-virus software (it sat in the box for a while before the client opened it or it was shipped, for example). When the user tries to access the corporate wireless network, ISE checks and finds that the laptop is not compliant (according to the DM solution for laptops). Then, the user is directed to connect to ION, this default network, which has services and/or ports open that will allow it to get within compliance and then reconnect back to corporate networking. Another scenario being discussed is the user-owned tablet device that they don’t want to be compliant. It could be any number of reasons, but the owner of the tablet doesn’t want the encryption, anti-virus solution or pin code requirements enforced by the DM solution. Again, the user would then connect to ION and in this case, stay connected to ION as long as they want internet access. Further, the user may still do some work on the ION network by allowing the user to have access to print services on ION, web mail, or location-based services. Perhaps we have to allow VPN services via AnyConnect back to the network (however we will ultimately be enforcing the same Posture Enforcement via AnyConnect clients as well).

It is envisaged that at some point, with the growth of IoE, smart phone, tablets, and other devices that are going to be non-compliant (either by design, choice or need) could be larger in endpoint count than is on the corporate network. This has all kinds of implications for services offered, user experience and expectations, and design that Cisco IT will continue to evolve.