topic Re: Cisco ISE not support IOT device in Network Access Control

Cisco ISE not support IOT device

oumodom — Wed, 30 Apr 2025 06:51:05 GMT

Dear Cisco lover,

We would like to seek your support on case not functional IoT device when we perform Closed Mode on cisco ise such the MAC addresss can't be learn on switch port.
Once we configure on switch with Low Impact mode, the IoT device is able to perform without any interruption.

It would be great if someone experienced this case and share the fix solution.

Cisco ISE v3.1
Thank you,

Re: Cisco ISE not support IOT device

Torbjørn — Wed, 30 Apr 2025 07:31:59 GMT

You will have to supply some more details. How is the device authenticating to the network? Are there any clues in the session details for the device?

Re: Cisco ISE not support IOT device

oumodom — Wed, 30 Apr 2025 08:10:10 GMT

Sure things @Torbjørn , I have shared you in posting.
First, we have low impact mode, IoT device we build profile and authentication through MAB.
Then, when we commit the command of Closed mode, the switch port will be disconnected and no any MAC address learn on switch.

There is impact only kindly of access door/UPS.
Fortunately, printer/camera ... can work perfectly on closed mode.

Re: Cisco ISE not support IOT device

MHM Cisco World — Wed, 30 Apr 2025 09:42:41 GMT

It true not all device work good with close mode' some need low impact mode since it need to get IP and/or some info before it fully work and start send Frame which make SW learn it MAC.

MHM

Re: Cisco ISE not support IOT device

oumodom — Wed, 30 Apr 2025 10:05:49 GMT

Any workaround solution @MHM Cisco World and how to ensure the right product to support with closed mode?

Re: Cisco ISE not support IOT device

andrewswanson — Wed, 30 Apr 2025 10:25:57 GMT

When you enable closed mode on the interfaces used by access door/UPS devices, have you tried bouncing the port? Perhaps these devices aren't transmitting packets as regularly as your printers (that do pass MAB in closed mode0

hth

Andy

Re: Cisco ISE not support IOT device

oumodom — Fri, 02 May 2025 04:39:33 GMT

Hi @andrewswanson
Just some of IoT device only.
We can not bounce the port once it disconnected status.
If we bounce the port, the device will be resulted disconnected.

Re: Cisco ISE not support IOT device

oumodom — Fri, 02 May 2025 06:21:36 GMT

Hello @Arne Bier @Aref Alsouqi @Greg Gibbs

Do you experience this such an issue?
Thank you for your idea.

Re: Cisco ISE not support IOT device

Aref Alsouqi — Wed, 21 May 2025 08:33:04 GMT

Probably you already resolved this issue by now? one of the main differences between low-impact and closed mode is that with the low-impact mode you would have a default access list applied to the port where some traffic will be allowed. In closed mode anything will be denied on the switch port with the exception for EAPoL traffic until the authentication and authorization are completed. Another main difference in low-impact mode is that the traffic on the switch port will still be passing even if ISE returns an access reject and it will be subject to the switch port access list.

Now for the IoT or whichever dummy devices to start the authentication process they need to send at least one frame to the switch before the switch relay that info to ISE and based on the response back from ISE the authentication will be accepted or rejected. The devices do not need any IP addressing during this process, and the main detail that will be taken from the frame received from the devices to the switch port is their MAC addresses. Those MAC addresses will be used as their credentials for authentication and also authorization.

Assuming the authentication has passed, the authorization process would start, and the returned attributes from ISE will be applied to the port, whether to fully open the port or apply specific attributes.

This process should not change if the port is in low-impact or closed mode. As long as the IoT device sends a frame the switch will take it and relay it to ISE for authentication and subsequently for authorization. If the IoT device does not send any frame this whole process will not be triggered.

Rebouncing the port usually helps as the connected devices to the switch ports might send some frames, however, other devices might not. Also, some devices might send frames periodically which means that you would need to wait for some time before those devices start talking to the switch by sending some frames.

Were you getting anything on ISE logs for those devices?

Re: Cisco ISE not support IOT device

ahollifield — Thu, 22 May 2025 12:11:39 GMT

I am a Cisco ISE lover. Also some IOT network stacks are very poorly implemented. Make sure the firmware is up to date. If that doesn't work you may need to exclude that particular port from authentication.

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/identity-service-engine-software-3-1-3-2.html

Re: Cisco ISE not support IOT device

oum-odom — Fri, 20 Jun 2025 03:44:31 GMT

Hi @Aref Alsouqi

Not yet resolved, the issue when we unplug cable, this IoT device can't connect or even no MAC address detect on switch.
Workaround solution just revert to low-impact mode to get device connected, then apply command closed mode one by one.

We don't accept this workaround solution, open with TAC they just capture the switch log but not solution yet.

Re: Cisco ISE not support IOT device

Aref Alsouqi — Fri, 20 Jun 2025 10:30:47 GMT

Thanks for the update. What switch model and release are you running on this/these switches out of interest?

Re: Cisco ISE not support IOT device

oum-odom — Wed, 02 Jul 2025 02:15:05 GMT

9200L

Re: Cisco ISE not support IOT device

Aref Alsouqi — Wed, 02 Jul 2025 15:30:00 GMT

What software?

Re: Cisco ISE not support IOT device

oum-odom — Mon, 07 Jul 2025 08:00:42 GMT

Hello Aref here the switch software IOSXE.

Re: Cisco ISE not support IOT device

Aref Alsouqi — Mon, 07 Jul 2025 10:33:49 GMT

Sorry what I meant, what software release is running on the switch because the issue could be caused by a software bug in that specific release. In the past I saw similar issues that have been fixed with software upgrades.

Re: Cisco ISE not support IOT device

oum-odom — Tue, 08 Jul 2025 01:53:43 GMT

Hi @Aref Alsouqi could you please share the workable software on switch, since we are running the latest software already.

Re: Cisco ISE not support IOT device

Aref Alsouqi — Tue, 08 Jul 2025 09:12:20 GMT

It depends, I would look at the open caveat/bugs of the release you are running and see if there is anything reported in there.

Re: Cisco ISE not support IOT device

MHM Cisco World — Tue, 08 Jul 2025 09:35:57 GMT

I will send you later today what I think solution for your issue

MHM

Re: Cisco ISE not support IOT device

oum-odom — Mon, 28 Jul 2025 06:13:08 GMT

Please share