Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
5
Helpful
6
Replies

Cisco ISE CAM and AP port`s

Go to solution
saeedabdelhalimhamada
Level 1
Level 1

‎02-04-2025 11:02 PM

Hi all 

i`m in new cisco ise deployment and already finished the user`s port`s and also the voice port`s , but i have a question i have like 250 CAM and 80 AP  , what should i do with those port`s is there best best practice or i need to apply auth or not  

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎02-04-2025 11:05 PM

 

  - In general it's best to have Network Access Control for every connection (port) ; for those you may need to fallback to MAB based authentication only ,

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

Go to solution
ahollifield
VIP
VIP

‎02-05-2025 09:21 AM

Depends what type of APs?  Are they connected to trunk or access ports?  Are you planning on using smart-port Macros or something else for dynamic configuration?

View solution in original post

Go to solution
Aref Alsouqi
VIP
VIP

‎02-05-2025 12:10 PM

By CAM you mean Cameras? if so, I would recommend configuring them with dot1x. Nowadays all the decent CCTV cameras vendors support dot1x on those devices. Best practice would be to go with certificate based authentication, however, a challenge you might find with the CCTV cameras is how to easily manage the certificates rollout. It's been my experience seeing lack of a good management tool to rollout the certificates and the only option was to go to each individual camera, generating the CSR, issuing the certs and then going again and import them. An alternative way to do this would be to use a tool like OpenSSL to generate the certs and then import them on each individual camera, but none of these solutions would be scalable. The second least preferred solution would be configuring the cameras to do dot1x with username and password.

For the APs, as mentioned by @ahollifield if those APs are connected to trunk ports then I don't think you can configure them with dot1x.

View solution in original post

6 Replies 6

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎02-04-2025 11:05 PM

 

  - In general it's best to have Network Access Control for every connection (port) ; for those you may need to fallback to MAB based authentication only ,

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
ahollifield
VIP
VIP

‎02-05-2025 09:21 AM

Depends what type of APs?  Are they connected to trunk or access ports?  Are you planning on using smart-port Macros or something else for dynamic configuration?

Go to solution
Aref Alsouqi
VIP
VIP

‎02-05-2025 12:10 PM

By CAM you mean Cameras? if so, I would recommend configuring them with dot1x. Nowadays all the decent CCTV cameras vendors support dot1x on those devices. Best practice would be to go with certificate based authentication, however, a challenge you might find with the CCTV cameras is how to easily manage the certificates rollout. It's been my experience seeing lack of a good management tool to rollout the certificates and the only option was to go to each individual camera, generating the CSR, issuing the certs and then going again and import them. An alternative way to do this would be to use a tool like OpenSSL to generate the certs and then import them on each individual camera, but none of these solutions would be scalable. The second least preferred solution would be configuring the cameras to do dot1x with username and password.

For the APs, as mentioned by @ahollifield if those APs are connected to trunk ports then I don't think you can configure them with dot1x.

Go to solution
PSM
Level 1
Level 1

‎02-10-2025 09:43 AM

Hi @Aref Alsouqi @ahollifield for APs connected on trunk port (Flexconnect mode) host mode can be configured to multihost using command "access-session host-mode multi-host" In this case only 1 host, the first MAC( WAP mac address) connecting to network will be authenticated before allowing network access. After that all other MACs (client mac addersses) will be allowed without authentication on the switch. Clients are already authenticated by WLC so it is not required to do the authentication again on switch. @saeedabdelhalimhamada 

Go to solution
ahollifield
VIP
VIP
In response to PSM

‎02-12-2025 09:20 PM

Sure but this doesn't allow the port config to be "dynamic". You still have to manually configure the port as a trunk with multi-host.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎02-13-2025 01:50 AM

Just thinking maybe using NEAT would be a solution for the APs? the example in this link is using a swich as a supplicant, but maybe that can also be an AP?

ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

0 Helpful
Customers Also Viewed These Support Documents