cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1156
Views
15
Helpful
6
Replies
Highlighted
Beginner

Cisco ISE Workflow

Hi everyone

I have a client ask me to configure Cisco ISE work as below :
wf.png

They use switch Cisco 2960. But i wonder :

- Does the system include Cisco ISE and Cisco switch 2960 meet this requirements.

- Which attribute of ISE Authentication Rules help detect Wired AutoConfig service on client's device run or not ?

6 REPLIES 6
Highlighted
VIP Advisor

Hi,

 

The ISE authentication rules configuration as such won't detect if the Wired AutoConfig service is running, rather you'd specify the switch interface level commands:

 

authentication order dot1x mab

authentication priority dot1x mab

authentication event fail action next-method

 

....to instruct the switch to attempt dot1x authentication first, if that fails then failover to mab at which point the ISE authorisation rules come into play regard MAB auth or CWA.

 

If dot1x authentication succeeds, CWA would not run. Ideally for dot1x you'd transparently authenticate using PEAP/MSCHAPv2 or EAP-TLS, after dot1x authentication you'd then go straight to posture compliance check stage before final authorisation.

Highlighted

Thanks you so much!
Highlighted
VIP Mentor

Hi

 

As RJI said, you won't be able to see if windows service is started/enabled or not.

Just for your information, if you start your authentication with MAB as 1st, you're gonna face issues. Let me explain. If a windows machine is configured to authenticate in dot1x, this gonna be its 1st authentication method and only if that fails it will switch to MAB. This has been said, it means, that if you start your authentication rules with MAB then you won't be able to switch mab using dot1x because your machine won't restart the process.

Except that, you can start using dot1x and failback with MAB. Then moving to authorization profile,

you can setup rules based on AD Groups (machine or users) to send an authorization profile for CWA. Your chart is gonna work as you wanted but the 1st authentication method should be dot1x and not mab. 

You also need to fine tune timers as some MAB machines will try MAB 1st and then if not authenticated there will be in timeout and not restarting the process.

 

Hope this answering your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

Thanks for your answer. And one mỏe tthink i want to ask is can we make the authentiction sesion auto restart ? I know when we unplug and plug the cable again. New authentication session is start but client want an automatic way that when they type the wrong password the pop-up show up again and they can re-type username/password with out unplug the cable

Highlighted

Thanks for your answer. And one mỏe tthink i want to ask is can we make the authentiction sesion auto restart ? I know when we unplug and plug the cable again. New authentication session is start but client want an automatic way that when they type the wrong password the popup show up again and they can re-type username/password with out unplug the cable
Highlighted

What do you mean by wrong password?
When you have your windows logon screen, if the password entered is wrong, there won't be any user authentication. the authentication takes place when the user open its windows account. Before that, you can authenticate the machine and apply a specific acl.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Content for Community-Ad