https://community.cisco.com/t5/network-access-control/pushing-configuration-changes-with-ise/m-p/3680505#M495641 No, that's not possible from ISE. I think the closest you could get is a port config status report from Context Visibility &gt; Network Devices &gt; Port Config Status &gt; Run on All/Selected. This uses SNMP to poll the switch but only provides back minimal port related config but no way to act on it. <BR /><BR />When I think about unused ports and the security risk they present to an enterprise, I think ISE can be leveraged in a more efficient way than shutting down ports. Eventually the goal is to get your switches to a closed mode state, where if an endpoint plugs in and is not allowed to be on the network, then you have restricted them via the access policy. You can couple this with TrustSec to further secure known endpoints with scalable group tags, and limit host to host communication at your preference based on their authentication results. Might not work for all environments but is a nice approach. Fri, 03 Aug 2018 02:43:42 GMT Damien Miller 2018-08-03T02:43:42Z https://community.cisco.com/t5/network-access-control/pushing-configuration-changes-with-ise/m-p/3680481#M495638 <P>Is there a way to push configuration changes to ISE like what Cisco Works is able to do&nbsp;</P> Fri, 03 Aug 2018 01:00:23 GMT https://community.cisco.com/t5/network-access-control/pushing-configuration-changes-with-ise/m-p/3680481#M495638 latenaite2011 2018-08-03T01:00:23Z https://community.cisco.com/t5/network-access-control/pushing-configuration-changes-with-ise/m-p/3680483#M495639 Yes, but in an extremely limited way. Not at all like Prime, APIC-EM, DNA, or Works. You can have port vlans and dacls pushed during a user authentication flow for example. <BR /><BR />You cannot configure things that I would normally considered infrastructure commands, radius servers, qos, stp, routing, static acls, etc. Basically anything outside of the realm of authenticating and securing a user. ISE is the policy server, not a replacement for the others listed above. I do however wish ISE could audit NAD config in a useful way. Fri, 03 Aug 2018 01:07:12 GMT https://community.cisco.com/t5/network-access-control/pushing-configuration-changes-with-ise/m-p/3680483#M495639 Damien Miller 2018-08-03T01:07:12Z https://community.cisco.com/t5/network-access-control/pushing-configuration-changes-with-ise/m-p/3680495#M495640 <P>Thank you Damien for your quick response.</P> <P>&nbsp;</P> <P>How about finding unused ports and shutting those down?</P> Fri, 03 Aug 2018 01:47:18 GMT https://community.cisco.com/t5/network-access-control/pushing-configuration-changes-with-ise/m-p/3680495#M495640 latenaite2011 2018-08-03T01:47:18Z https://community.cisco.com/t5/network-access-control/pushing-configuration-changes-with-ise/m-p/3680505#M495641 No, that's not possible from ISE. I think the closest you could get is a port config status report from Context Visibility &gt; Network Devices &gt; Port Config Status &gt; Run on All/Selected. This uses SNMP to poll the switch but only provides back minimal port related config but no way to act on it. <BR /><BR />When I think about unused ports and the security risk they present to an enterprise, I think ISE can be leveraged in a more efficient way than shutting down ports. Eventually the goal is to get your switches to a closed mode state, where if an endpoint plugs in and is not allowed to be on the network, then you have restricted them via the access policy. You can couple this with TrustSec to further secure known endpoints with scalable group tags, and limit host to host communication at your preference based on their authentication results. Might not work for all environments but is a nice approach. Fri, 03 Aug 2018 02:43:42 GMT https://community.cisco.com/t5/network-access-control/pushing-configuration-changes-with-ise/m-p/3680505#M495641 Damien Miller 2018-08-03T02:43:42Z