https://community.cisco.com/t5/network-access-control/question-on-easyconnect/m-p/3569269#M508979 <HTML><HEAD></HEAD><BODY><P>You’re mixing different modes incorrectly</P><P></P><P>Easy connect is for wired use cases where customers don’t want to deploy a wired supplicant. It’s an easy way to start getting visibility and control with ISE. Still recommended to deploy 802.1x eventually as it’s more secure and recommended method.</P><P></P><P>Vlan change is not going to work correctly as this requires a supplicant to release renew the IP address. Recommendation would be to deploy segmentation using SGTs. You could use acls but they don’t scale that week compared to the tagging.</P><P></P><P>About shutting down switch port, likely through a manual COA action. What is the use case? Why would you want to instead of changing tag or acl instead?</P><P></P><P>Disconnect user on vpn, not sure what you’re tying to do as easy connect doesn’t play with vpn and same with blocking user on ssid.</P></BODY></HTML> Fri, 15 Jun 2018 15:19:37 GMT Jason Kunst 2018-06-15T15:19:37Z https://community.cisco.com/t5/network-access-control/question-on-easyconnect/m-p/3569268#M508978 <HTML><HEAD></HEAD><BODY><P>Hi Folks, i'm not very familiar yet with Easyconnect and it's limitations.</P><P></P><P>Main question is, considering the below traditional remediation actions with 802.1x, can we do ALL of them with Easyconnect?</P><P></P><P>- Shutdown on Switch port</P><P>- Change VLAN on port</P><P>- dACL on Port</P><P>- Disconnect user from VPN</P><P>- Block user on SSID with WLC</P><P></P><P>Thanks</P></BODY></HTML> Fri, 15 Jun 2018 15:09:15 GMT https://community.cisco.com/t5/network-access-control/question-on-easyconnect/m-p/3569268#M508978 mcavinat 2018-06-15T15:09:15Z https://community.cisco.com/t5/network-access-control/question-on-easyconnect/m-p/3569269#M508979 <HTML><HEAD></HEAD><BODY><P>You’re mixing different modes incorrectly</P><P></P><P>Easy connect is for wired use cases where customers don’t want to deploy a wired supplicant. It’s an easy way to start getting visibility and control with ISE. Still recommended to deploy 802.1x eventually as it’s more secure and recommended method.</P><P></P><P>Vlan change is not going to work correctly as this requires a supplicant to release renew the IP address. Recommendation would be to deploy segmentation using SGTs. You could use acls but they don’t scale that week compared to the tagging.</P><P></P><P>About shutting down switch port, likely through a manual COA action. What is the use case? Why would you want to instead of changing tag or acl instead?</P><P></P><P>Disconnect user on vpn, not sure what you’re tying to do as easy connect doesn’t play with vpn and same with blocking user on ssid.</P></BODY></HTML> Fri, 15 Jun 2018 15:19:37 GMT https://community.cisco.com/t5/network-access-control/question-on-easyconnect/m-p/3569269#M508979 Jason Kunst 2018-06-15T15:19:37Z https://community.cisco.com/t5/network-access-control/question-on-easyconnect/m-p/3569270#M508980 <HTML><HEAD></HEAD><BODY><P style="font-size: 13.3333px;">Jason, thanks and agreed.</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">This is an RFP that I'm filling and basically for each of the above situations they ask if we can do it WITH .1x and WITHOUT. </P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Would you agree that TECHNICALLY by NOT .1x we could interpret that for RFP purposes MAB is a possibility and then we could say "yes" to all above? I was thinking easyconnect but as this is an RFP creativity is important</P></BODY></HTML> Fri, 15 Jun 2018 15:28:04 GMT https://community.cisco.com/t5/network-access-control/question-on-easyconnect/m-p/3569270#M508980 mcavinat 2018-06-15T15:28:04Z https://community.cisco.com/t5/network-access-control/question-on-easyconnect/m-p/3569271#M508981 <HTML><HEAD></HEAD><BODY><P>The following with mab?</P><P></P><P></P><P>- Shutdown on Switch port</P><P></P><P>Yes</P><P></P><P>- Change VLAN on port</P><P></P><P>Yes but not recommended</P><P></P><P>- dACL on Port</P><P></P><P>Yes</P><P></P><P>- Disconnect user from VPN</P><P></P><P>No such mechanism.</P><P></P><P>- Block user on SSID with WLC</P><P></P><P>There are ways with profiling groups, etc that’s possible I guess</P></BODY></HTML> Fri, 15 Jun 2018 15:48:25 GMT https://community.cisco.com/t5/network-access-control/question-on-easyconnect/m-p/3569271#M508981 Jason Kunst 2018-06-15T15:48:25Z