Hi Team, One of the customer is looking for the 802.1x authentication in a wired network with location based restriction. Customer would like to achieve location based authentication based upon the switch Id & may be port ID attributes. I would l...
This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Forum Posts
Resolved! Ise block rogue domain
I have implement ise and enabled ise posture at client environment. Policy rule configured as if domain id and posture status pass will get full access. What if someone setup a laptop with same domain and pass posture, will he able to access network...
Hi, After i go through the document ISE Posture Style Comparison for Pre and Post 2.2, I'm having some question about the step 20 regarding the posture module as shown below. Step 20. At this stage Anyconnect Posture Module initiates policy server de...
Hi, I have the following question and situation. I have computer connected to Microsoft Azure AAD only not locally domain joined.These devices are registered inside intone.I would like to grant access to the WIFI if the device is in compliant inside...
hi, I tried to create CSR for system certificate, it is generated in the ISE but am unable to download the file, ISE keeps giving me a error unable to connect ISE Node(Same node with hostname).i tried to re generate the certificate it is giving me a ...
Hey all,I am trying to finalize my ISE Checkpoint Radius connection for VPN Authentication. Only problem I have, in authorization process, I want ISE to send first Group of user (I am authenticating internally) to checkpoint as attr 25. However ISE s...
Hi All We have multiple standalone ISE instances and WLC's worldwide. Users travel between sites. I want to do a SSID with the same name at all sites that has the same setting for computer authentication that would allow computers in the Domain Com...
we are about to deploy ISE NAC at our campus.as part of the design, i read about SGT Mapping. can someone explain the SGT-To-IP Mapping? (how can it scale?)can i map users (IP) to SGT? from what i have read the use of SGT-To-IP Mapping is for few IP ...
Hello Experts, The requirement is to provide different level of access to employees/contractors based on the department/BU they belong to. The employees/contractors would fall into different groups, e.g. employee1, employee2, contractor1, contracto...
Resolved! PSN in a different country
Is this a valid design for ISE 2.6? I don't see any issues as long as the latency between the PSN in country Y and nodes in country X is less than 300ms?Main site is in Country X with two nodes as admin/monitoring/psn personas. Country Y has an offic...
Hello,Is it possible to use client ip address to limit vpn accessi.e write authorization policy which would use Cisco-AVPair = "ip:source-ip=ip.add.re.ss"or Calling-Station-ID to match against defined subnetAs per documentation both are of type strin...
Resolved! Cisco TrustSec Catalyst 3650
Hi:I am attempting to follow the Cisco TrustSec Deployment guide (http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf).So far things have been going well. I am at the point of adding in my Seed dev...
We're having some trouble with ports configured with access-session closed. The switch does not see the MAC address of some devices connected to such ports. We can take one of two actions to clear this condition:1. Remove the access-session closed co...
Hi All,does anyone know if it is possible for ISE to send an alert/notification when a specific user logs on?i.e. when user johnsmith logs in, ISE sends an SNMP or email alert thanksJohn
Users exist on a RSA server and are organized by groups. I need a way to permit or deny VPN users based on their RSA group. I have RSA passing back the group name upon authentication. I can see it in RSA logs. I don't see it in ISE. I get the authent...
