topic Cisco ISE switch configuration in Network Access Control

Cisco ISE switch configuration

Marcus Peck — Mon, 11 Mar 2019 06:15:31 GMT

Hi experts,

I have got the following network in brief:

Devices -> Access Switch -> Core Switch -> Access Switch -> ISE Server

All switches are IOS capable for the 802.1X and AAA configurations for ISE to manage the network devices. However, I have read through guide on the switches configuration in preparation for CIsco ISE deployment but I am just wondering do I need to configure both access switches and Core switches or do I only configure the access switches for ISE?

Thanks for your time reading!

Hi,

Jay233 — Fri, 20 Nov 2015 11:04:26 GMT

Hi,

To authenticate clients you only need to configure the device (NAS) that will be passing the radius packet to your ISE (radius server) often secured by way of a mutually configured secret key on both devices (authenticator and the authentication server) .

An example of a NAS would be access switch, WLC.

Hi Marcus,

Vivek Ganapathi — Mon, 23 Nov 2015 03:34:19 GMT

Hi Marcus,

It depends on your network design. If all the endpoints gets connected to access switch only, then the major piece of configuration goes on the access switch. Depending on our profiling setup on ISE, if you are using a DHCP profiling option, then you need to ensure that the ISE PSN IP or virtual IP (if Load balanced), is configured as a IP helper on the L3 SVI which might be on your Core switch.

Hope this helps.

Regards

Vivek

Hi Vivek,

Marcus Peck — Mon, 23 Nov 2015 03:56:29 GMT

Hi Vivek, thanks for your reply. The reason I asked this question is because I do not know if the L3 core needs any sort of configuration for the profiling and the NAC to work on the access layer switches connected to it? All endpoints are connected to the access switches as pointed out in my first post and all endpoints are non-dhcp clients. I do know that the Access switches needs to be configured accordingly but how about those switches without any endpoints (e.g. Core switches and distribution)?

If all the clients are non

Vivek Ganapathi — Mon, 23 Nov 2015 04:14:44 GMT

If all the clients are non-DHCP clients, then there is no configuration on core or distribution at all.

But you may need to look out for different profiling options if the clients are not DHCP enabled. Does the access switch support IOS sensor function? Would be very useful to have one as it would send important profiling information to ISE. You may need to use a right profiling options for ISE to determine the endpoint details.

Regards

Vivek