Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2037
Views
10
Helpful
2
Replies

Choosing mab or dot1x at the same port with ise

Go to solution
yusuf76225
Level 1
Level 1

‎11-09-2020 01:00 AM

Dear Expert,

i want to ask regarding mab and dot1x

 

my customer, want their office have this kind of user exprerience when connected to wired.

 

  1. when a laptop that has joined a domain is connected to "PORT A", the laptop will immediately get internet access
  2. when the guest laptop is connected to "port A" (the same port as use case number 1), a browser pop up will appear. and the user must log in using the AD user or the internal user on the ise
  3. customer wants to separate the vlan, between dot1x user vlan and mab user vlan who log in using a pop up browser

My question is, is a use case like this possible to configure?

are there any drawbacks when using a use case like this ?

 

 

i found a reference document which is similar to my case

https://community.cisco.com/t5/security-documents/how-to-configure-wired-802-1x-amp-mab-authentication-with-ise-on/ta-p/3657380

1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-09-2020 05:14 AM

My question is, is a use case like this possible to configure?

-This use case is definitely possible, and many do similar setups.  You will rely on your switch config, and ISE to steer the proper policy based on trusted endpoints versus non-trusted endpoints.  See the following for additional assistance:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

are there any drawbacks when using a use case like this ?

-No besides general understanding of the configuration needed and the overall workflows.  

HTH!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
saxenanitesh8522
Level 4
Level 4

‎11-09-2020 01:10 AM

Hi,

 

This is possible.

1. When domain laptop connects it will use DOT1x authentication

2. When you a non domain laptop connects he will be redirected to Guest Page to login using registration or login with AD username.

(https://integratingit.wordpress.com/2020/01/19/ise-guest-access/)

3. the dhcp renew and release is also a possible (https://integratingit.wordpress.com/2018/05/07/configuring-cisco-ise-dynamic-vlan-assignment/) so it will move into a new vlan. there will be a disconnection as there be port bounce or coa to assign a new ip address for them.

 

Please rate if helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-09-2020 05:14 AM

My question is, is a use case like this possible to configure?

-This use case is definitely possible, and many do similar setups.  You will rely on your switch config, and ISE to steer the proper policy based on trusted endpoints versus non-trusted endpoints.  See the following for additional assistance:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

are there any drawbacks when using a use case like this ?

-No besides general understanding of the configuration needed and the overall workflows.  

HTH!

0 Helpful
Customers Also Viewed These Support Documents