If you have radius server then sure you can use it local DB for auth the endpoint 

MHM

All good points. Thanks.

Is it also possible to use profiling probe results for authentication and authorization?

The network I'm working on uses LDAP. I would use that as an external ID store, but there would be too many hurdles  (people hurdles not technical). Currently port security is performed manually, which is an administrative chore. My goal is to implement 802.1x in a secure way without integrating with LDAP. Let me know if you need more details. Thanks.

Duly noted, Rob. My intent was to roll this out while limiting the involvement of other silos, but it appears that won't be possible. I'll shoot for LDAP integration when the time comes.

Thanks!

Yes, I demonstrated this in

▷ User & Endpoint Custom Attributes 2022-09-06

05:01 Defining User Custom Attributes for ISE Internal Users
06:10 Defining Endpoint Custom Attributes and their Common Uses
07:36 Demo: Creating User Custom Attributes
10:41 Demo: ISE 802.1X Policy Review, and Authentication

Implementing 802.1X (Dot1x) without integrating with Active Directory (AD) or LDAP is possible in Cisco Identity Services Engine (ISE). Here are some ways to achieve this:

1. Local Identity Store:

   • Local identity store within ISE allows you to create and manage user accounts directly within ISE.
   • You can define users and their credentials (username/password) directly in ISE.
   • While this approach is feasible, it’s not recommended for large-scale deployments due to scalability and management challenges.

2. Certificate-Based Authentication:

   • Instead of relying on AD or LDAP for user authentication, consider using certificate-based authentication.
   • Configure ISE to accept client certificates (such as EAP-TLS) for authentication.
   • Clients present their certificates during the 802.1X process, and ISE validates them against its local certificate store or a trusted Certificate Authority (CA).

3. Guest Services:

   • If you’re implementing Dot1x for guest access, ISE can handle guest authentication without AD or LDAP integration.
   • Set up a guest portal in ISE, create guest accounts, and allow access based on credentials provided during the guest registration process.

4. Machine Authentication (MAB):

   • While not true Dot1x, Machine Authentication Bypass (MAB) allows devices to authenticate based on their MAC addresses.
   • Configure MAB policies in ISE to allow certain devices (e.g., printers, IP phones) without relying on AD or LDAP.

5. Custom Identity Sources:

   • ISE allows you to define custom identity sources beyond AD and LDAP.
   • You can create custom identity sources using RADIUS, RSA SecurID, or other methods.
   • While not common, it provides flexibility for specific use cases.

6. Local Web Authentication:

   • For scenarios where you need to authenticate users via a captive portal (web page), ISE can perform local web authentication.
   • Users provide credentials directly to ISE via the web portal.

Remember that while these methods allow Dot1x without AD or LDAP, they have limitations. Consider your specific requirements, scalability, and security needs when choosing the appropriate approach for your deployment.

If you find this useful, please mark it helpful and accept the solution.