Network Access Control

Hi everyone, If I'd like to check more than one FQDN for a CRL prior to authenticating a trusted certificate, is this supported? As far as I can tell the documentation doesn't define this field as a list but as a single URL.  Example:  myCDP1.mydomai...

Someone has told me that you can't use multiple subCA for EAPTLS authentication. Is this true?

Hi Everyone (long time reader first time poster), I have a Cisco IE4000 (actually a Rockwell Stratix 5400 OEM switch but they are hardware & IOS identical for purpose of this discussion) setup with RADIUS and TrustSec connections to an ISE server (ru...

Hi all, My 802.1x environment is using ISE version 2.4 and my NAD is cisco WLC AIR-CT3504. The policy set in place require my wireless clients to pass machine cert and user cert authentication before they can connect to my network. However on adhoc b...

  ISE CWA with Flex Connect local switching.    With this configuration does the client start off in one VLAN and then get switched to the local VLAN on the AP? I expect AAA override and CoA would be part of this? How does the client handle the re-dh...

We have a customer who has F5 and PSNs in LTM mode but are doing an SNAT for incoming radius traffic hence all radius requests appear to come from the F5. This is because F5 and PSNs are separated by L3 and are not physically inline.    However it is...

It's possible to query and get a list of endpoints in a given Identity Group: curl -k --header 'Accept: application/json' --user xxx:yyy https://omf-01-ise01:9060/ers/config/endpoint?filter=groupId.EQ.12abb870-295a-11e9-aed1-76f66f54fcc8 However `cus...

I have been trying to properly profile devices and get them put into specific rules instead of the last rule. My last rule is called 'Closed_Mode'. I want the endpoint to hit the AuthZ rule 'Global..SJ_Computers'. it appears to hit the proper rule in...

I really want to get the HTTP User-Agent attribute on my endpoints. I understand that the only ways to do that are URL redirect or SPAN. I don't want to do SPAN.  But using the URL redirect doesn't really seem to work for me either because I don't wa...

Hi, Can I have a posture condition for the following in ISE 2.4/2.6? Cisco Umbrella agent in installed and runningQualys agent is installed and runningPlease note - requirement is not for pxgrid integration of qualys or umbrella, only for posture che...

Hello all,I could use some assistance with getting my arms around Compliance Module.  I don'trecall this being an objective in the CCNP Security 300-208 exam.  It is now an objectivein the 300-715 exam.  More specifically, item 6.3, "Configure the co...

Hi, I'm interested in adding a pxGrid node to allow 3rd party systems use ISE for quarantine/COA.My workstations are now licensed via Base licenses, and to my understanding require Plus licensing for pxGrid content sharing in order to be managed via ...

Hi, Are there any guides available for integrate Firepower Threat Defence with ISE using pxGrid?I found an excellent guide by Katherine McNamara here - http://www.network-node.com/blog/2017/1/2/rapid-threat-containment-with-ise-21-and-firepower-61?rq...

Hello Team,   We are using full-blown ISE (no ISE-PIC) for usual 802.1x (EAP-TLS-based Machine auth mainly) and now configuring same ISE deployment for PassiveID to distribute User-IP mappings from AD (via ISE AD Agents) towards WSA and FMC. We are n...

Client gets authenticated and result is applied but supplicant switch errors the VLAN TEST is non-existent or shutdown which is both no true. Is this a limitation of CISP?  %DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdow...