https://community.cisco.com/t5/network-access-control/ise-device-information-for-non-auth-interfaces/m-p/3765892#M486917 <P>As far as I know at least MAB is required. Use monitor mode or return Permit from ISE unconditionally to avoid connectivity issues. Without an authentication request (a session) the endpoint is not added to ISE endpoint database.</P> Tue, 18 Dec 2018 15:05:15 GMT Peter Koltl 2018-12-18T15:05:15Z https://community.cisco.com/t5/network-access-control/ise-device-information-for-non-auth-interfaces/m-p/3765719#M486909 <P>Hello,</P><P>&nbsp;</P><P>we're currently migrating from ACS 5.8 to ISE 2.2 and I was wondering, if it is possible to profile the devices that are not authenticated on a switch interface/ISE. Our authentication is vlan-based without dACL or SGT.</P><P>Or if there is a better way to authenticate devices that can't auth with dot1x and need to have network access on startup (except changing the auth-order from dot1x mab to mab dot1x). Sometimes some of the devices won't show their mac-address for some reason, thus authentication won't work.</P><P>&nbsp;</P><P>The first interface is our default switchport configuration and the second interface configuration is when the interface needs to be locked in a vlan for a device.</P><P>&nbsp;</P><P>interface GigabitEthernet1/0/3<BR />&nbsp;description dot1x<BR />&nbsp;switchport access vlan 54<BR />&nbsp;switchport mode access<BR />&nbsp;switchport voice vlan 121<BR />&nbsp;authentication control-direction in<BR />&nbsp;authentication event server dead action authorize vlan 55<BR />&nbsp;authentication event server dead action authorize voice<BR />&nbsp;authentication event server alive action reinitialize<BR />&nbsp;authentication host-mode multi-domain<BR />&nbsp;authentication order dot1x mab<BR />&nbsp;authentication priority dot1x mab<BR />&nbsp;authentication port-control auto<BR />&nbsp;authentication violation restrict<BR />&nbsp;mab<BR />&nbsp;dot1x pae authenticator<BR />&nbsp;dot1x timeout tx-period 7<BR />&nbsp;spanning-tree portfast<BR />&nbsp;spanning-tree bpduguard enable<BR />&nbsp;spanning-tree guard root<BR />end</P><P>&nbsp;</P><P>interface GigabitEthernet1/0/4<BR />&nbsp;description SALTO Liz-Serv<BR />&nbsp;switchport access vlan 111<BR />&nbsp;switchport mode access<BR />&nbsp;switchport port-security mac-address sticky<BR />&nbsp;switchport port-security mac-address sticky xxxx.xxxx.xxxx<BR />&nbsp;switchport port-security<BR />end</P><P>&nbsp;</P><P>Thanks!</P> Tue, 18 Dec 2018 11:45:58 GMT https://community.cisco.com/t5/network-access-control/ise-device-information-for-non-auth-interfaces/m-p/3765719#M486909 Maxee 2018-12-18T11:45:58Z https://community.cisco.com/t5/network-access-control/ise-device-information-for-non-auth-interfaces/m-p/3765892#M486917 <P>As far as I know at least MAB is required. Use monitor mode or return Permit from ISE unconditionally to avoid connectivity issues. Without an authentication request (a session) the endpoint is not added to ISE endpoint database.</P> Tue, 18 Dec 2018 15:05:15 GMT https://community.cisco.com/t5/network-access-control/ise-device-information-for-non-auth-interfaces/m-p/3765892#M486917 Peter Koltl 2018-12-18T15:05:15Z https://community.cisco.com/t5/network-access-control/ise-device-information-for-non-auth-interfaces/m-p/3765921#M486935 <P>MAB is the only method to authenticate devices that do not have a supplicant.&nbsp; You can still profile devices so long as the MAC address of the endpoint is obtained.&nbsp; There are a few ways to obtain the MAC address of the endpoint:&nbsp; DHCP, SNMP polling, etc.</P> <P>&nbsp;</P> <P>Regards,</P> <P>-Tim</P> Tue, 18 Dec 2018 15:27:56 GMT https://community.cisco.com/t5/network-access-control/ise-device-information-for-non-auth-interfaces/m-p/3765921#M486935 Timothy Abbott 2018-12-18T15:27:56Z