implementing-network-access-control-with-cisco-ise
Deploy Cisco Identity Services Engine for 802.1X wired and wireless authentication, MAC Authentication Bypass, posture assessment, and dynamic VLAN assignment for network access control.
Best use case
implementing-network-access-control-with-cisco-ise is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Deploy Cisco Identity Services Engine for 802.1X wired and wireless authentication, MAC Authentication Bypass, posture assessment, and dynamic VLAN assignment for network access control.
Teams using implementing-network-access-control-with-cisco-ise should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-network-access-control-with-cisco-ise/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-network-access-control-with-cisco-ise Compares
| Feature / Agent | implementing-network-access-control-with-cisco-ise | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Deploy Cisco Identity Services Engine for 802.1X wired and wireless authentication, MAC Authentication Bypass, posture assessment, and dynamic VLAN assignment for network access control.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Implementing Network Access Control with Cisco ISE ## Overview Cisco Identity Services Engine (ISE) provides centralized network access control through 802.1X authentication, MAC Authentication Bypass (MAB), posture assessment, and guest access management. ISE acts as a RADIUS policy server that evaluates authentication requests from network devices (switches, wireless controllers) and returns authorization policies including VLAN assignments, downloadable ACLs (dACLs), and Security Group Tags (SGTs). This skill covers deploying ISE for enterprise wired 802.1X authentication with Active Directory integration, MAB fallback, posture compliance enforcement, and TrustSec segmentation. ## When to Use - When deploying or configuring implementing network access control with cisco ise capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Cisco ISE 3.1+ appliance or virtual machine (16 CPU cores, 64GB RAM minimum for production) - Cisco switches with 802.1X support (Catalyst 9000 series recommended) - Active Directory domain with user and computer accounts - PKI infrastructure for EAP-TLS certificate-based authentication - DNS and NTP configured consistently across ISE nodes and network devices - Supplicant software on endpoints (Windows native, AnyConnect NAM, or SecureW2) ## Core Concepts ### 802.1X Architecture The 802.1X framework involves three components: | Component | Role | Example | |-----------|------|---------| | **Supplicant** | Client requesting network access | Windows 802.1X client, AnyConnect NAM | | **Authenticator** | Network device controlling port access | Cisco Catalyst switch | | **Authentication Server** | Policy decision engine | Cisco ISE (RADIUS) | ### Authentication Flow ``` 1. Endpoint connects to switch port 2. Switch sends EAP-Request/Identity to endpoint 3. Endpoint responds with EAP-Response/Identity 4. Switch forwards credentials to ISE via RADIUS Access-Request 5. ISE authenticates against AD/LDAP/internal store 6. ISE evaluates authorization policy 7. ISE returns RADIUS Access-Accept with attributes (VLAN, dACL, SGT) 8. Switch enforces authorization on the port ``` ### Authentication Methods | Method | Use Case | Security Level | |--------|----------|---------------| | EAP-TLS | Certificate-based, highest security | High | | PEAP-MSCHAPv2 | Username/password via AD | Medium | | EAP-FAST | Cisco proprietary, fast reauthentication | Medium | | MAB | Non-802.1X devices (printers, IP phones) | Low | ## Workflow ### Step 1: Configure ISE for Active Directory Integration Navigate to **Administration > Identity Management > External Identity Sources > Active Directory**: 1. Add AD join point with domain name (e.g., `corp.example.com`) 2. Provide domain admin credentials for ISE machine account 3. Join ISE to the domain 4. Select AD groups for authorization policies: - `Domain Users` - Standard employee access - `Domain Computers` - Machine authentication - `IT-Admins` - Privileged access - `BYOD-Users` - Personal device access ### Step 2: Configure Network Devices in ISE Navigate to **Administration > Network Resources > Network Devices**: ``` Name: SW-ACCESS-01 IP Address: 10.0.1.1/32 RADIUS Shared Secret: C0mpl3x$3cretKey! SNMP Settings: v2c, community string Device Type: Cisco Switches Location: Building-A-Floor-1 ``` Create a Network Device Group hierarchy: ``` Device Type: ├── Cisco Switches │ ├── Access Layer │ └── Distribution Layer └── Wireless Controllers Location: ├── Building-A └── Building-B ``` ### Step 3: Configure Switch for 802.1X Apply this configuration to the access switch: ``` ! Enable AAA aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius aaa accounting update newinfo periodic 2880 ! Configure RADIUS server radius server ISE-PRIMARY address ipv4 10.0.5.10 auth-port 1812 acct-port 1813 key 0 C0mpl3x$3cretKey! automate-tester username radius-test probe-on radius server ISE-SECONDARY address ipv4 10.0.5.11 auth-port 1812 acct-port 1813 key 0 C0mpl3x$3cretKey! automate-tester username radius-test probe-on aaa group server radius ISE-GROUP server name ISE-PRIMARY server name ISE-SECONDARY deadtime 15 ip radius source-interface Loopback0 ! Enable 802.1X globally dot1x system-auth-control ! Enable RADIUS CoA (Change of Authorization) aaa server radius dynamic-author client 10.0.5.10 server-key C0mpl3x$3cretKey! client 10.0.5.11 server-key C0mpl3x$3cretKey! ! Enable device tracking for IP-to-MAC mapping device-tracking tracking auto-source ! Configure access port template interface range GigabitEthernet1/0/1-48 description 802.1X Access Port switchport mode access switchport access vlan 100 ! Authentication settings authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server dynamic authentication violation restrict ! 802.1X settings dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 2 ! MAB fallback mab ! Enable spanning-tree portfast (required for timely auth) spanning-tree portfast ! Apply pre-auth ACL ip access-group PRE-AUTH-ACL in ! Pre-authentication ACL (allow DHCP, DNS, ISE portal) ip access-list extended PRE-AUTH-ACL permit udp any any eq 67 permit udp any any eq 68 permit udp any any eq 53 permit tcp any host 10.0.5.10 eq 8443 permit tcp any host 10.0.5.11 eq 8443 deny ip any any ``` ### Step 4: Configure ISE Authentication Policy Navigate to **Policy > Policy Sets**: **Authentication Policy:** | Rule Name | Condition | Allowed Protocols | Identity Source | |-----------|-----------|-------------------|-----------------| | Dot1X-EAP-TLS | Radius:EAP-Type EQUALS EAP-TLS | EAP-TLS | AD with Certificate | | Dot1X-PEAP | Radius:EAP-Type EQUALS PEAP | PEAP-MSCHAPv2 | Active Directory | | MAB | Radius:Service-Type EQUALS Call-Check | MAB Lookup | Internal Endpoints | | Default | Default | Default | Deny Access | ### Step 5: Configure ISE Authorization Policy **Authorization Policy:** | Rule Name | Condition | Authorization Profile | |-----------|-----------|----------------------| | IT-Admin-Wired | AD:Group EQUALS IT-Admins AND Dot1X | VLAN10-FullAccess | | Employee-Compliant | AD:Group EQUALS Domain Users AND Posture:Compliant | VLAN100-Corporate | | Employee-NonCompliant | AD:Group EQUALS Domain Users AND Posture:NonCompliant | VLAN200-Remediation | | Printer-MAB | EndpointIdentityGroup EQUALS Printers | VLAN150-Printers | | IP-Phone-MAB | EndpointIdentityGroup EQUALS IP-Phones | VLAN50-Voice | | BYOD-Onboarding | AD:Group EQUALS BYOD-Users AND !Registered | BYOD-Portal-Redirect | | Guest-Access | GuestEndpointGroup EQUALS GuestEndpoints | VLAN300-Guest | | Default | Default | DenyAccess | **Authorization Profiles:** ``` Profile: VLAN100-Corporate VLAN: 100 dACL: PERMIT_ALL SGT: Employees (0x0005) Reauthentication Timer: 28800 Profile: VLAN200-Remediation VLAN: 200 dACL: REMEDIATION-ACL (allow only remediation server access) Web Redirection: Posture Discovery Reauthentication Timer: 300 Profile: DenyAccess Access Type: ACCESS_REJECT ``` ### Step 6: Configure Posture Assessment Navigate to **Work Centers > Posture**: **Posture Conditions:** ``` - Windows Firewall Enabled (Registry check) - Antivirus Running and Updated (AV compound condition) - OS Patch Level Current (Windows Update check) - Disk Encryption Enabled (BitLocker check) ``` **Posture Requirements:** ``` Requirement: Corporate-Windows-Compliance OS: Windows All Conditions: Windows Firewall AND Antivirus AND OS Patches Remediation: Auto-remediate with AnyConnect ISE Posture Module ``` **Posture Policy:** ``` Rule: Windows-Endpoints Identity Group: Any OS: Windows All Requirement: Corporate-Windows-Compliance ``` ### Step 7: Configure TrustSec Segmentation Enable SGT-based segmentation: ``` ! On switch - enable CTS cts credentials id SW-ACCESS-01 password CtsP@ss cts role-based enforcement cts role-based sgt-map 10.0.100.0/24 sgt 5 ! Download SGT policy from ISE cts role-based permissions ``` ISE TrustSec Matrix (SGACL): | Source SGT | Destination SGT | Policy | |------------|----------------|--------| | Employees (5) | Servers (10) | Permit_HTTP_HTTPS | | Employees (5) | PCI_Zone (15) | Deny_All | | IT-Admins (3) | Servers (10) | Permit_All | | Guest (7) | Internet (99) | Permit_HTTP_HTTPS | | Guest (7) | Servers (10) | Deny_All | ## Troubleshooting ```bash # On switch - verify authentication status show authentication sessions show authentication sessions interface Gi1/0/1 details show dot1x all # Check RADIUS connectivity test aaa server radius ISE-PRIMARY username testuser password testpass # On ISE - check live logs # Navigate to Operations > RADIUS > Live Logs # Filter by MAC address or username # Review Authentication Details for failure reason # Common failure reasons: # 12514 - EAP-TLS handshake failed (certificate issue) # 22056 - Subject not found in identity store # 24408 - User not found in Active Directory # 24454 - User password expired ``` ## Best Practices - **Monitor Mode First** - Deploy in monitor mode (open authentication) before closed mode enforcement - **Low-Impact Mode** - Use `authentication open` with pre-auth dACLs for gradual rollout - **MAB Database** - Pre-populate endpoint database with known MAC addresses for printers, phones - **Profiling** - Enable ISE profiling to automatically classify endpoints by type - **CoA Support** - Ensure Change of Authorization is configured for dynamic policy updates - **High Availability** - Deploy ISE in a Primary/Secondary node pair with PAN failover - **Certificate Infrastructure** - Use machine certificates for EAP-TLS for strongest authentication ## References - [Cisco ISE Admin Guide 3.1](https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1.html) - [Cisco 802.1X Design Guide](https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/214843-guide-ieee-802-1x-deployment-with-cisco.html) - [CiscoLive ISE Deployment Guide 2025](https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2025/pdf/BRKSEC-2660.pdf) - [Cisco ISE Wired 802.1X Configuration](https://www.networkcomputing.com/network-security/cisco-ise-wired-802-1x-configuration)
Related Skills
testing-for-broken-access-control
Systematically testing web applications for broken access control vulnerabilities including privilege escalation, missing function-level checks, and insecure direct object references.
securing-remote-access-to-ot-environment
This skill covers implementing secure remote access to OT/ICS environments for operators, engineers, and vendors while preventing unauthorized access that could compromise industrial operations. It addresses jump server architecture, multi-factor authentication, session recording, privileged access management, vendor remote access controls, and compliance with IEC 62443 and NERC CIP-005 remote access requirements.
scanning-network-with-nmap-advanced
Performs advanced network reconnaissance using Nmap's scripting engine, timing controls, evasion techniques, and output parsing to discover hosts, enumerate services, detect vulnerabilities, and fingerprint operating systems across authorized target networks.
performing-wireless-network-penetration-test
Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3 keys, detecting rogue access points, and testing wireless segmentation using Aircrack-ng and related tools.
performing-ot-network-security-assessment
This skill covers conducting comprehensive security assessments of Operational Technology (OT) networks including SCADA systems, DCS architectures, and industrial control system communication paths. It addresses the Purdue Reference Model layers, identifies IT/OT convergence risks, evaluates firewall rules between zones, and maps industrial protocol traffic (Modbus, DNP3, OPC UA, EtherNet/IP) to detect misconfigurations, unauthorized connections, and attack surfaces in critical infrastructure.
performing-network-traffic-analysis-with-zeek
Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation.
performing-network-traffic-analysis-with-tshark
Automate network traffic analysis using tshark and pyshark for protocol statistics, suspicious flow detection, DNS anomaly identification, and IOC extraction from PCAP files
performing-network-packet-capture-analysis
Perform forensic analysis of network packet captures (PCAP/PCAPNG) using Wireshark, tshark, and tcpdump to reconstruct network communications, extract transferred files, identify malicious traffic, and establish evidence of data exfiltration or command-and-control activity.
performing-network-forensics-with-wireshark
Capture and analyze network traffic using Wireshark and tshark to reconstruct network events, extract artifacts, and identify malicious communications.
performing-initial-access-with-evilginx3
Perform authorized initial access using EvilGinx3 adversary-in-the-middle phishing framework to capture session tokens and bypass multi-factor authentication during red team engagements.
performing-external-network-penetration-test
Conduct a comprehensive external network penetration test to identify vulnerabilities in internet-facing infrastructure using PTES methodology, reconnaissance, scanning, exploitation, and reporting.
performing-credential-access-with-lazagne
Extract stored credentials from compromised endpoints using the LaZagne post-exploitation tool to recover passwords from browsers, databases, system vaults, and applications during authorized red team operations.