https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214921#M136676 <P>Hello,</P><P></P><P>I'd like to implement Cisco ISE on my network so that 802.1x authentication will be operationnal.</P><P>When I give a look to this document : <A href="http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html#wp55038" target="_blank">http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html#wp55038</A><BR />There's a lot of Catalyst 2950 on my network and I see that some features aren't supported on these devices : MAB, dACL, SGA.</P><P></P><P>What are the consequences of these non-supported technologies ? I've found out for instance that MAB was used to authenticate devices which doesnt allow or support 802.1x, so will the printers of my network still work ?</P><P><SPAN style="font-size: 10pt;">And what about dACL and SGA ? Are these features really useful or isn't it that bad if I can't use them ?</SPAN></P><P></P><P>Thanks.</P> Mon, 11 Mar 2019 03:25:28 GMT yoshipower 2019-03-11T03:25:28Z https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214921#M136676 <P>Hello,</P><P></P><P>I'd like to implement Cisco ISE on my network so that 802.1x authentication will be operationnal.</P><P>When I give a look to this document : <A href="http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html#wp55038" target="_blank">http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html#wp55038</A><BR />There's a lot of Catalyst 2950 on my network and I see that some features aren't supported on these devices : MAB, dACL, SGA.</P><P></P><P>What are the consequences of these non-supported technologies ? I've found out for instance that MAB was used to authenticate devices which doesnt allow or support 802.1x, so will the printers of my network still work ?</P><P><SPAN style="font-size: 10pt;">And what about dACL and SGA ? Are these features really useful or isn't it that bad if I can't use them ?</SPAN></P><P></P><P>Thanks.</P> Mon, 11 Mar 2019 03:25:28 GMT https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214921#M136676 yoshipower 2019-03-11T03:25:28Z https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214922#M136677 <HTML><HEAD></HEAD><BODY><P>Hello Yoshipower,</P><P></P><P>Catalyst 2950 does not support MAB, SGA, CWA, LWA, dACL, except that it&nbsp; supports 802.1x only. So this means that you can only use dot1x&nbsp; authentication but profiling, client provisioning, posture assessment,&nbsp; change of authorization features are not available to you on Catalyst&nbsp; 2950. You have already gone through the ISE Network Component&nbsp; Compatibility document.</P><P></P><P> So if you feel only user authentication fulfills your requirement you&nbsp; can set up dot1x authentication but it should not be enabled on the&nbsp; ports where devices like printers, IP phones, camera UPS etc are&nbsp; connected. Briefly we can say that only user authentication is available</P><P></P><P>Regards,</P><P>Ashok</P></BODY></HTML> Mon, 13 May 2013 09:46:44 GMT https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214922#M136677 askhuran 2013-05-13T09:46:44Z https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214923#M136678 <HTML><HEAD></HEAD><BODY><P>Hello Ashok,</P><P></P><P>Thank you for your proper answer, you're really fast in this forum. <SPAN style="font-size: 10pt;">My network is composed of nearly 60% of 2950 switches but there's a lot of other devices such as 2960 and 3750 switches. </SPAN><SPAN style="font-size: 10pt;">However, I don't have a lot of devices which don't support 802.1x auth (only a dozen of printers) so I guess I could turn off dot1x on them as you advised me.</SPAN></P><P></P><P>Are the unavailable features on 2950 useful ? <SPAN style="font-size: 10pt;">I mean by that that if they are really essential, I would have to invest in new switches and it's a considerable question in terms of money... I haven't deployed ISE yet so I'd like to be sure of my theorical study before going on.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Thanks a lot !</SPAN></P></BODY></HTML> Mon, 13 May 2013 10:08:07 GMT https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214923#M136678 yoshipower 2013-05-13T10:08:07Z https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214924#M136679 <HTML><HEAD></HEAD><BODY><P>I agree with ashok...devices such as printers and cameras don't support dot1x and they completely rely on MAB. </P><P></P><P>If you turn on dot1x and mab on the switches and set the order/priority. It will work for both the devices, one that support dot1x and other that support MAB so it will work on a failover method. </P><P></P><P>I'd say 3750 and 3560 POE are the best switches to implement flex auth that includes dot1x, MAB and web-auth.</P><P></P><P>SGA is an advanced feature and not every deployment includes this feature.</P><P>SGA Features and Terminology </P><P><SPAN> </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_sga_pol.html#wp1058113">http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_sga_pol.html#wp1058113</A></P><P></P><P>Jatin Katyal <BR /> <BR /> <BR />- Do rate helpful posts -</P></BODY></HTML> Mon, 13 May 2013 10:17:26 GMT https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214924#M136679 Jatin Katyal 2013-05-13T10:17:26Z https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214925#M136680 <HTML><HEAD></HEAD><BODY><P>If you want to manage your limited investment you can follow a phased&nbsp; implementation approach. Though it would be little laborious. You can&nbsp; swap 2950 switches with 2960 or 3750 wherever you have devices like&nbsp; printers. So you can connect your printers on either 2960 or 3750&nbsp; switches only and PCs on 2950 switches. Then setup flexauth (MAB &gt;&nbsp; dot1x) order and priority as required, on those switches where printers&nbsp; etc are connected. Jatin Katyal has righly suggested, I agree with him</P><P></P><P> With this approach, you can setup and enable all other features i.e.&nbsp; profiling, client provisioning, CoA for certain identity groups which&nbsp; are connected on supported switches (2960, 3750)</P><P> Note: Please make sure to review the IOS on your 2960 switches and&nbsp; compare the same in “ISE Network Component Compatibility Document”</P></BODY></HTML> Mon, 13 May 2013 11:23:12 GMT https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214925#M136680 askhuran 2013-05-13T11:23:12Z https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214926#M136681 <HTML><HEAD></HEAD><BODY><P>Hi back, </P><P></P><P>Here's a small update about my topic. <SPAN style="font-size: 10pt;">I've talked a bit with my boss and it turns that he wants ISE to be deployed to ensure full security, which means I need to use profiling and provisioning for users to authenticate with NAC agent !</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Thus, I'd like to know which features are required for my solution. What do I need : CoA,&nbsp; Web Auth ? I'm a bit lost...</SPAN></P><P><SPAN style="font-size: 10pt;"> I'm guessing I'll have to change my old 2950, but what about my 2960, 3950, 4510 and 4507 switches ? Do they support what I want to do ?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Thank you for your help ! </SPAN></P></BODY></HTML> Wed, 15 May 2013 07:24:26 GMT https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214926#M136681 yoshipower 2013-05-15T07:24:26Z https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214927#M136682 <HTML><HEAD></HEAD><BODY><P>Yes I guess everything looks fine except 2960 doesn't support DACL. </P><P></P><P>Jatin Katyal <BR /> <BR /> <BR />- Do rate helpful posts -</P></BODY></HTML> Wed, 15 May 2013 09:19:07 GMT https://community.cisco.com/t5/network-access-control/ise-mab-soa/m-p/2214927#M136682 Jatin Katyal 2013-05-15T09:19:07Z