This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have a client ask me to configure Cisco ISE work as below :
They use switch Cisco 2960. But i wonder :
- Does the system include Cisco ISE and Cisco switch 2960 meet this requirements.
- Which attribute of ISE Authentication Rules help detect Wired AutoConfig service on client's device run or not ?
The ISE authentication rules configuration as such won't detect if the Wired AutoConfig service is running, rather you'd specify the switch interface level commands:
authentication order dot1x mab
authentication priority dot1x mab
authentication event fail action next-method
....to instruct the switch to attempt dot1x authentication first, if that fails then failover to mab at which point the ISE authorisation rules come into play regard MAB auth or CWA.
If dot1x authentication succeeds, CWA would not run. Ideally for dot1x you'd transparently authenticate using PEAP/MSCHAPv2 or EAP-TLS, after dot1x authentication you'd then go straight to posture compliance check stage before final authorisation.
As RJI said, you won't be able to see if windows service is started/enabled or not.
Just for your information, if you start your authentication with MAB as 1st, you're gonna face issues. Let me explain. If a windows machine is configured to authenticate in dot1x, this gonna be its 1st authentication method and only if that fails it will switch to MAB. This has been said, it means, that if you start your authentication rules with MAB then you won't be able to switch mab using dot1x because your machine won't restart the process.
Except that, you can start using dot1x and failback with MAB. Then moving to authorization profile,
you can setup rules based on AD Groups (machine or users) to send an authorization profile for CWA. Your chart is gonna work as you wanted but the 1st authentication method should be dot1x and not mab.
You also need to fine tune timers as some MAB machines will try MAB 1st and then if not authenticated there will be in timeout and not restarting the process.
Hope this answering your question
Thanks for your answer. And one mỏe tthink i want to ask is can we make the authentiction sesion auto restart ? I know when we unplug and plug the cable again. New authentication session is start but client want an automatic way that when they type the wrong password the pop-up show up again and they can re-type username/password with out unplug the cable