- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2021 07:06 AM
Folks,
We have this use case of allowing laptops which are in provisioning stages to be connected to the network. The challenge is that these laptops must reach the provisioning servers bare minimum.
The testing and layout of our network is such that if the laptop is able to authenticate itself with 802.1x it gets the desired employee access. For this, the laptop already has the employee certificate and profiles.
If this is not the case the laptop get a guest access which means internet only.
This is not the same with a laptop under provisioning i.e. it should not get Internet only. Any hints or suggestions how we can overcome this use case?
Thanks,
N!!
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2021 05:10 PM
This is a common issue with NAC-enabled environments due to the way Windows builds work and the fact that MS never implemented a way to enable 802.1x at an early stage in the build. See a similar discussion with some suggestions in this post.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2021 07:20 AM - edited 06-04-2021 07:21 AM
The testing and layout of our network is such that if the laptop is able to authenticate itself with 802.1x it gets the desired employee access. For this, the laptop already has the employee certificate and profiles.
ISE put the device in default VLAN, which you can use for device provisioning based on the device authentication here allocate Device to different VLAN as on boarding VLAN.
Hope you looking the device to connect SCCM Server ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2021 08:28 AM
Thanks for the response Balaji.
The challenge we have is that the default VLAN is considered as the Guest VLAN which is internet access alone.
Unless I did not understand you well.
The other method we were thinking is using any API's? Enter the MAC of the laptop to be provisioned through some API and create a list of such MAC address. Then this policy set get a assigned VLAN for the provisioning.
Maybe any other method?
Thanks!!
N.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2021 09:51 AM
Which you can use for device provisioning based on the device authentication here allocate Device to different VLAN as on boarding VLAN.
My suggestion was the same as you thinking different VLAN not the same as the default.
As you mentioned the First post the device has Certificate? yes or no.
if yes you identified the device to send the different VLAN, if no you need to MAB authentication with MAC Address based and allocated to provision VLAN as workflow.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-10-2021 11:37 PM
Sorry again for the delayed response.
The device will have no certificate as it will still be in the provisioning state.
The MAB based is fine, but now we will have to assign MAC addresses manually.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2021 04:18 PM - edited 06-06-2021 04:20 PM
You will need to add ACL entry(s) to your default VLAN that also permits access to your provisioning server(s).
Alternatively, some customers use open ports in physically secure rooms to provision servers.
You may also create temporary MAB exceptions if you know the devices but that's not very dynamic. I've seen this temporary access called a "voucher". See https://developer.cisco.com/codeexchange/github/repo/obrigg/Vanilla-ISE
You could login to the guest portal with an ISE internal user 'provisioning' account that allows internal access only to the necessary servers.
Many options here depending on what you find [un]acceptable.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2021 05:10 PM
This is a common issue with NAC-enabled environments due to the way Windows builds work and the fact that MS never implemented a way to enable 802.1x at an early stage in the build. See a similar discussion with some suggestions in this post.
