Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
0
Helpful
3
Replies

Bypass 802.1X

jack samuel
Level 1
Level 1

‎12-28-2015 01:08 PM - edited ‎03-10-2019 11:21 PM

Hello everybody,

i am very new to cisco ise but i have one simple question which can be stupid,

all Cisco switch ports are configured with dot1.x on switch to authenticate the machine against Microsoft AD, if in case i opened a brand new pc how i can join that pc to a domain without any single switch port which is excluded by dot1x,???

By the below access-list i hope a pc can join to the domain which is configured on ISE  to receive a ip address once the machine is switched ON to broadcast request for IP address

permit udp any eq bootpc any eq bootps

permit udp any any eq dns

 permit ip any host 4.4.4.4 ( corporate DNS)

deny ip any any

thanks

Labels:
0 Helpful
3 Replies 3

jan.nielsen
Level 7
Level 7

‎12-30-2015 08:03 AM

As a read your question, it doesn't sound like you are using a PXE environment to image your machines, and you just need to be able to join the PC to the domain. Without a specific set of ports where you have not enabled dot1x, you basically have two options : 1. Enter the PC's mac address in some endpoint group used for this in ISE when you receive the machine, so it gets mab validated to get access to join AD

2. Allow full AD access in your pre-auth ACL on your switches, your current acl won't work, unless 4.4.4.4 is the only AD server you have.

0 Helpful

jack samuel
Level 1
Level 1
In response to jan.nielsen

‎02-13-2016 10:52 AM

Dear Jan,

I have configured a wired MAB authorization policy with DACL of ISE,DNS,DHCP with a redirect access-list on switch, when try to add the windows services in the same DACL it doesn't works, when i create separate authorization policy with separate DACL of windows services it works.

ip access-list extended wired guest dacl

 permit udp any eq bootpc any eq bootps
 permit udp any any eq domain
 permit ip any host 10.10.40.19
 deny   ip any any log

ip access-list extended ACL-REDIRECT
 deny   udp any eq bootpc any eq bootps
 deny   udp any any eq domain
 deny   ip any host 10.10.40.19 --ISE for redirecting
 permit tcp any any eq www
 permit tcp any any eq 443
 deny   ip any any

when i disable the guest redirect authorization policy and create a separate MAB for windows login services it work for me but i am losing the wired redirect policy. ALSO tried to do AND OPERATION in RESULTS for  " wired mab redirect policy" it doesn't  works.

ip access-list extended windows login DACL

 permit udp any eq bootpc any eq bootps
 permit udp any any eq domain

permit ip any host 10.10.39.19 ----AD servers
 permit ip any host 10.10.40.19 ----ISE servers
 deny   ip any any log

Thanks

0 Helpful

jack samuel
Level 1
Level 1
In response to jack samuel

‎02-15-2016 03:42 AM

Dear Experts,

Anybody can help me for the above query.

thanks

0 Helpful
Customers Also Viewed These Support Documents