The NAC solution should provide the ability to Secure IoT network device access. It should support Advanced Asset visibility which provides the visibility into IoT-type of devices.

The solution should provide real time inventory of all connected endpoints. NAC should provide support to build contextual data about endpoints in terms of its device type, location, time of access, posture, user(s) associated to that asset and much more. Endpoints can be tagged with tags based on these attributes. This rich contextual insight can be used to enforce effective network access control policies and can also be shared with eco-system partners to enrich their services. This is all done in real time.

The solution should provide full fingerprint details such as time of connectivity, type of device, OS used, authentication method, group assigned, policy assigned, where connected in the network, etc. NAC should provide support to build contextual data about endpoints in terms of its device type, location, time of access, posture, user(s) associated to that asset and much more. Endpoints can be tagged with Scalable Group Tags (SGTs) based on these attributes. This rich contextual insight can be used to enforce effective network access control policies and can also be shared with eco-system partners to enrich their services. This is all done in real time.

The solution should integrate with third party solutions such NGFW, SIEM, and MDM to provide additional layers of security. Integration will allow the NAC and the security solutions to exchange information and take proper actions based on that information (such as deleting disconnected user sessions from the firewalls at real time, quarantining a device when it violates a specific Firewall rule, etc. The NAC solution should provide support to build contextual data about endpoints in terms of its device type, location, time of access, posture, user(s) associated to that asset and much more. Endpoints can be tagged with Scalable Group Tags (SGTs) based on these attributes.

This rich contextual insight can be used to enforce effective network access control policies and can also be shared with eco-system partners to enrich their services. For example, in the Next Generation Firewall (NGFW), policies can be written based on the identity context such as device-type, location, user groups and others, received from NAC. Inversely, specific context from 3rd party systems can be fed into the NAC to enrich its sensing and profiling capabilities, and for Threat Containment.

The solution should have the ability to provide passive scanning to check on any vulnerable ports opened on end systems and IOT devices. The NAC solution should provide Threat Centric Network Access Control (TC-NAC) feature that enables creation of authorization policies based on the threat and vulnerability attributes received from the threat and vulnerability adapters. Threat severity levels and vulnerability assessment results can be used to dynamically control the access level of an endpoint or a user. The vulnerability and threat adapters should be configurable to send high fidelity Indications of Compromise (IoC), Threat Detected events, and CVSS scores to NAC, so that threat-centric access policies can be created to change the privilege and context of an endpoint accordingly.

The solution should support Guest Access and BYOD captive portals with multiple login options such as social media, email, SMS integration, pre-registration passwords, sponsorship. The NAC solution should provide three ways in which NAC can provide Guest access: Hotspot (immediate non-credentialed access), Self-Registration and Sponsored Guest access. NAC should also provide a rich set of APIs to integrate with other systems such as vendor management systems to create, edit and delete Guest accounts.

Further, the various portals that the end user sees can be completely customized with the right font, color, themes, etc. to match the look and feel of the enterprise’s brand. NAC should create local accounts for Guests. These accounts can be created by an employee hosting the Guest (the Sponsor) using a built-in portal or created by the Guest themselves by providing some basic info. The Guest can receive credentials via email/SMS and use that to authenticate themselves to the network and thereby get network access.

The admin can define what level of access to provide to such users. NAC should provide multiple elements that help automate the entire onboarding aspect for BYOD. This includes a built- in Certificate Authority (CA) to create and help distribute certificates to different types of devices. The built-in CA provides a complete certificate lifecycle management. NAC should also provide a My Devices Portal, an end user facing portal, that allows the end user to register their BYOD endpoint as well as mark it as being lost to blacklist it from the network.

BYOD on boarding can be accomplished either through a single SSID or through a dual SSID approach. In a single SSID approach, the same SSID is used to onboard and connect the end user’s device while in a Dual SSID approach a different open SSID is used to on board the devices but the device connects to a different more secure SSID after the onboarding process. For enterprises that want to provide a more complete management policy, BYOD can be used to connect the end user to the MDM onboarding page as well.

Sources:

https://www.grandmetric.com/store/product/cisco-security/cisco-ise-identity-service-engine

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_threat_centric_nac.html

https://community.cisco.com/t5/security-knowledge-base/general-information-on-cisco-tc-nac-with-ise/ta-p/4505157

https://studylib.net/doc/26265013/cisco-ise-ordering-guide-june-2020

https://community.cisco.com/t5/network-access-control/ise-licenses-query/td-p/4427158

https://community.cisco.com/kxiwq67737/attachments/kxiwq67737/discussions-network-accesscontrol/562265/1/Cisco%20ISE%20Ordering%20Guide%20June%202020.pdf/