Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
328
Views
0
Helpful
1
Replies

Cisco ISE Deployment Phases / Modes - Questions

Go to solution
mahmoud zyada
Level 1
Level 1

‎05-10-2025 07:17 AM - edited ‎05-10-2025 07:20 AM

Hello All

I have some questions related to cisco ise modes , sorry if it seems traditional but i need to verify my info. regarding this points:

1- In  monitor mode , can i still apply authorization results (for ex. dACL, vlan assignment) to the endpoints or the switch simply will not enforce it as the port is configured with open authentication command ?

2- can pre authentication access list be used in closed mode , if not does this mean that centralized web authentication and also active directory joined computers authentication is not supported in the closed mode ( we need preauth acl to enable at least DHCP and DNS and AD services access before authentication ) ?

3- if pre-auth acl is supported in closed mode ,whats is the difference between two modes in this case ?

4- finally , in case of the ISE did not return any dacl as a result of authorization according to authorization rule , will pre_auth still be applied at the configured port ?

Thanks to you

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP

‎05-10-2025 10:01 AM

Hi @mahmoud zyada ,

 to enable the Deployment of an ISE Project with the least possible operational impact, it is recommended to deploy the solution in Phases.

 Deploying the solution 1st in Monitor Mode (where Devices are provided Network access before the Authentication Request is sent to ISE) allows the Administrator to identify and resolve possible causes of access blocking. Through this Mode, the Administrator gains visibility into Authentications that resulted in success or failure with minimal impact to Users and Devices.

 Monitor Mode operates as an Audit Mode. Using log information for validation, Administrators use this Mode to ensure that all Devices are authenticating correctly. At the same time, the authentication open command configured on Switch interfaces makes it possible to provide access to the Wired Network without impacting connected Users and Devices, the Open Mode feature ensures that access is not denied, but simply monitored through log information.

 Once the issues have been resolved in Phase 1, the Administrator can move on to Phase 2, enabling a Low-Impact Mode (that incrementally increases the Security level of the Network by configuring an ingress port ACL on top of Monitor Mode interface configurations).

 Once the issue have been resolved in Phase 2, the Administrator can move on to Phase 3, enabling Closed Mode (provides zero access before receiving a response from ISE or a timeout occurs).

 

Please take a look at: Cisco ISE Secure Wired Access Prescriptive Deployment Guide.

 

Hope this helps !!!

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Marcelo Morais
VIP
VIP

‎05-10-2025 10:01 AM

Hi @mahmoud zyada ,

 to enable the Deployment of an ISE Project with the least possible operational impact, it is recommended to deploy the solution in Phases.

 Deploying the solution 1st in Monitor Mode (where Devices are provided Network access before the Authentication Request is sent to ISE) allows the Administrator to identify and resolve possible causes of access blocking. Through this Mode, the Administrator gains visibility into Authentications that resulted in success or failure with minimal impact to Users and Devices.

 Monitor Mode operates as an Audit Mode. Using log information for validation, Administrators use this Mode to ensure that all Devices are authenticating correctly. At the same time, the authentication open command configured on Switch interfaces makes it possible to provide access to the Wired Network without impacting connected Users and Devices, the Open Mode feature ensures that access is not denied, but simply monitored through log information.

 Once the issues have been resolved in Phase 1, the Administrator can move on to Phase 2, enabling a Low-Impact Mode (that incrementally increases the Security level of the Network by configuring an ingress port ACL on top of Monitor Mode interface configurations).

 Once the issue have been resolved in Phase 2, the Administrator can move on to Phase 3, enabling Closed Mode (provides zero access before receiving a response from ISE or a timeout occurs).

 

Please take a look at: Cisco ISE Secure Wired Access Prescriptive Deployment Guide.

 

Hope this helps !!!

 

0 Helpful
Customers Also Viewed These Support Documents