https://community.cisco.com/t5/network-access-control/ise-third-party-support/m-p/4187510#M563945 <P>On top of the links provided take a peek at the ISE Resources links at the top of the 'Network Access Control' community forum as there are really good examples and guides there.&nbsp; Also, for free tutorials for ISE config demos take a look at:&nbsp;<A href="http://labminutes.com/video/sec" target="_blank">Video: Security | Lab Minutes</A></P> <P>Am I understanding correctly that the switches just need to support&nbsp;802.1X, or that need to support&nbsp;802.1X and have RADIUS and TACACS integration built in?</P> <P>-Yes.&nbsp; Devices will need to be able to support dot1x and radius.&nbsp; Radius is used between the authenticator (switch) and ISE (authentication server).&nbsp; Note there are specific licenses (Base) needed to support your typical AAA services.</P> <P>Do I also understand correctly that ICE can have exceptions for certain nodes and endpoints if there are compatibility issues, but any new devices added to those nodes, a bad actor or such would still be blocked by ICE?</P> <P>-Yes.&nbsp; You will utilize your policy sets to steer policy and allow (authorize) good known clients onto the network.&nbsp; Bad actors should not match any policies and hit the default policy which should be secured (deny access).</P> <P>HTH!</P> <P>&nbsp;</P> Mon, 23 Nov 2020 13:36:08 GMT Mike.Cifelli 2020-11-23T13:36:08Z https://community.cisco.com/t5/network-access-control/ise-third-party-support/m-p/4187411#M563940 <P>Hi there, and thank you for reading.</P><P>&nbsp;</P><P>Been out of IT infrastructure for a number of years and struggling to get up to speed rapidly.</P><P>Im looking at an existing ICE system supporting AAA/ Profiling/BTOD/Guest/Posture services.</P><P>We are looking to add some third party switch hardware and door access/cctv endpoints, which we want to be complient with ICE. Am I understanding correctly that the switches just need to support&nbsp;802.1X, or that need to support&nbsp;802.1X and have RADIUS and TACACS integration built in?</P><P>Do I also understand correctly that ICE can have exceptions for certain nodes and endpoints if there are compatibility issues, but any new devices added to those nodes, a bad actor or such would still be blocked by ICE?</P><P>&nbsp;</P><P>Many thanks in Advance</P><P>Fraser</P> Mon, 23 Nov 2020 10:49:49 GMT https://community.cisco.com/t5/network-access-control/ise-third-party-support/m-p/4187411#M563940 FraserJohnston62763 2020-11-23T10:49:49Z https://community.cisco.com/t5/network-access-control/ise-third-party-support/m-p/4187450#M563942 <P>&nbsp;</P> <P>&nbsp;- Check below link for examples :</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<A href="https://community.cisco.com/t5/security-documents/ise-third-party-nad-profiles-and-configs/ta-p/3648719" target="_blank">https://community.cisco.com/t5/security-documents/ise-third-party-nad-profiles-and-configs/ta-p/3648719</A></P> <P>&nbsp;M.</P> Mon, 23 Nov 2020 12:12:50 GMT https://community.cisco.com/t5/network-access-control/ise-third-party-support/m-p/4187450#M563942 Mark Elsen 2020-11-23T12:12:50Z https://community.cisco.com/t5/network-access-control/ise-third-party-support/m-p/4187476#M563944 <P>here is the device matrix based on the version of ISE you running</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html" target="_blank">https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html</A></P> Mon, 23 Nov 2020 12:48:19 GMT https://community.cisco.com/t5/network-access-control/ise-third-party-support/m-p/4187476#M563944 balaji.bandi 2020-11-23T12:48:19Z https://community.cisco.com/t5/network-access-control/ise-third-party-support/m-p/4187510#M563945 <P>On top of the links provided take a peek at the ISE Resources links at the top of the 'Network Access Control' community forum as there are really good examples and guides there.&nbsp; Also, for free tutorials for ISE config demos take a look at:&nbsp;<A href="http://labminutes.com/video/sec" target="_blank">Video: Security | Lab Minutes</A></P> <P>Am I understanding correctly that the switches just need to support&nbsp;802.1X, or that need to support&nbsp;802.1X and have RADIUS and TACACS integration built in?</P> <P>-Yes.&nbsp; Devices will need to be able to support dot1x and radius.&nbsp; Radius is used between the authenticator (switch) and ISE (authentication server).&nbsp; Note there are specific licenses (Base) needed to support your typical AAA services.</P> <P>Do I also understand correctly that ICE can have exceptions for certain nodes and endpoints if there are compatibility issues, but any new devices added to those nodes, a bad actor or such would still be blocked by ICE?</P> <P>-Yes.&nbsp; You will utilize your policy sets to steer policy and allow (authorize) good known clients onto the network.&nbsp; Bad actors should not match any policies and hit the default policy which should be secured (deny access).</P> <P>HTH!</P> <P>&nbsp;</P> Mon, 23 Nov 2020 13:36:08 GMT https://community.cisco.com/t5/network-access-control/ise-third-party-support/m-p/4187510#M563945 Mike.Cifelli 2020-11-23T13:36:08Z