cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1860
Views
0
Helpful
7
Replies
Beginner

ISE Dot1x cisco 3650 Denali 16.3.5b

Does anyone have a generic template for dot1x configuration on a cisco switch 3650 running Denali 16.3.5b?  Some of the commands I see in some of the guides online are not available in Denali or have changed.  Our configuration was tested on a 2960 and it worked. ISE 2.2

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE Dot1x cisco 3650 Denali 16.3.5b

Hi Richard,

We are working on a deployment guide that will cover Cisco 3850/9300 with 16.X code. It should take a few weeks from now to be published.

In the meantime, refer the following guides:

For IBNS 1.0 configuration:

How To: Universal IOS Switch Config for ISE

For IBNS 2.0 configuration:

How To: Universal 3850 Wired Class-based Policy Language (C3PL) Configuration for ISE

One of the significant change in 16.X is that you will need to have device tracking configuration explicitly on the interfaces.

The best practice device tracking policy goes as follows:

device-tracking policy IPDT_POLICY

no protocol udp

tracking enable

! To apply to the interfaces:

interface GigabitEthernet x/y/z

  device-tracking attach-policy IPDT_POLICY

The CLI explanation goes here:

Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches) - Configuring IPv6 First Hop Security…

If you have any specific CLI command not working, please let us know.

thanks,

Hari

7 REPLIES 7
Highlighted
Cisco Employee

Re: ISE Dot1x cisco 3650 Denali 16.3.5b

Hi Richard,

We are working on a deployment guide that will cover Cisco 3850/9300 with 16.X code. It should take a few weeks from now to be published.

In the meantime, refer the following guides:

For IBNS 1.0 configuration:

How To: Universal IOS Switch Config for ISE

For IBNS 2.0 configuration:

How To: Universal 3850 Wired Class-based Policy Language (C3PL) Configuration for ISE

One of the significant change in 16.X is that you will need to have device tracking configuration explicitly on the interfaces.

The best practice device tracking policy goes as follows:

device-tracking policy IPDT_POLICY

no protocol udp

tracking enable

! To apply to the interfaces:

interface GigabitEthernet x/y/z

  device-tracking attach-policy IPDT_POLICY

The CLI explanation goes here:

Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches) - Configuring IPv6 First Hop Security…

If you have any specific CLI command not working, please let us know.

thanks,

Hari

Beginner

Re: ISE Dot1x cisco 3650 Denali 16.3.5b

Hello Hari,

We have the issues when we trying to device-tracking on 16.5.3b. I

When we configured device-tracking on this 3650. It works for one brand of phone, but not working for another brand. Also "no protocol udp" is not exist on 16.5.3b version.


Thanks,

Contributor

Re: ISE Dot1x cisco 3650 Denali 16.3.5b

I can confirm that

Also "no protocol udp" is not exist on 16.5.3b version.


Cisco Employee

Re: ISE Dot1x cisco 3650 Denali 16.3.5b

The CLI command guide shows only " [no] | [protocol {dhcp | ndp} ]"

However, folks appear using it... see IP Device Tracking New CLI - SISF - Den... - Cisco Support Community

Beginner

Re: ISE Dot1x cisco 3650 Denali 16.3.5b

I changed my 3650 IOS-XE to boot using cat3k_caa-universalk9.16.03.06.SPA.bin as opposed to the packages.conf that is running 16.3.5b and I can configure IPDT "no protocol UDP" although the command is hidden you just key it in and it will accept, question marking (no protocol ?) will not display UDP

Beginner

Re: ISE Dot1x cisco 3650 Denali 16.3.5b

Have you finished Deployment Guide?

I try on 3850 my 3750X configuration and it is not working...

Beginner

Re: ISE Dot1x cisco 3650 Denali 16.3.5b

With the help of a vendor I was able to get a template for dot1x to work on 16.3.5b and should work for 16.3.6, I have not tested that yet. We are moving to the 16.3.6 code on new deployments.  Let me clean up my template and I can share what I have.