topic Re: Cisco ISE in Network Access Control

Cisco ISE

jm.virtual01 — Wed, 27 Mar 2019 20:09:17 GMT

I have cisco ISE 2.2 in my network for the authentication. For the wireless network i have number of standalone APs connected to the access layer switch directly and because of this, it consumes more licensing. Can i remove the dot1x from the interface where the APs are connected? Because the wireless infrastructure is secured by clear pass. So only authenticated users can get the access via wireless infrastructure.

So is it fine to remove the dot1x configuration from the interfaces where the APs are connected?

Is there any cisco recommended practice for this kind of issue?

Is there any cisco provided document for this kind of situation?

Re: Cisco ISE

Damien Miller — Wed, 27 Mar 2019 20:45:42 GMT

You can do anything you want, the world is your oyster as they say.

That said, the goal with wired dot1x is to secure your access layer and protect potential entry points on to your network. If you remove dot1x from the AP ports, then they won't consume any license, but you would probably be best to secure the port some other way then.

The reccomendation as a general security practice, secure all your access ports, my customers tend to do that with ISE still.

Re: Cisco ISE

Jason Kunst — Wed, 27 Mar 2019 20:50:33 GMT

If you have ISE use it for everything! ☺

Re: Cisco ISE

jm.virtual01 — Wed, 27 Mar 2019 23:54:43 GMT

if i have a licences issues and the wireless infrastructure is secured by clear pass then what is the best practice ?