Solved: 2960x Lan Lite

kkvitovs · ‎12-04-2019

Hello team,

2960x supports all ISE features and functionalities (AAA, Posture, Profiling, Guest etc):
https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/compatibility_doc/b_ise_sdt_27.html#supportedciscoaccessswitches

What about Lan Lite? I know that we didn't recommend it, but it looks like some of the features should be supported:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_7_e/b_1527e_consolidated_2960x_cg/security_features_overview.html

1)Could I assume that AAA, Profiling, BYOD, Guest are supported with some limitations that are listed in the previous link?

2) According to the link:

Network Admission Control (NAC) Layer 2 802.1x validation of the antivirus condition or posture of endpoint systems or clients before granting the devices network access. NAC is not supported on LanLite images.

Do I understand correctly that Posture is not supported, so it doesn't make sense to buy Apex license with Lan Lite?

howon · ‎12-07-2019

Regards to Q1. Lan-Lite doesn't support dACL, pACL, or URL-Redirect so CWA or BYOD will not be possible unless using Auth VLAN feature. Profiling should work as CoA is supported. There are also additional authentication related restrictions with Lan-Lite so not recommended for secure access scenarios.

View solution in original post

hslai · ‎12-07-2019

1) Yes

2) ISE Apex licenses also enable other advanced features. If the customers not using any of them, then it does not make sense to acquire Apex.

howon · ‎12-07-2019

Regards to Q1. Lan-Lite doesn't support dACL, pACL, or URL-Redirect so CWA or BYOD will not be possible unless using Auth VLAN feature. Profiling should work as CoA is supported. There are also additional authentication related restrictions with Lan-Lite so not recommended for secure access scenarios.