cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

774
Views
5
Helpful
2
Replies
Alex Pfeil
Rising star

Identity Services Engine Remediation or Quarantine VLAN Help

We currently have devices being removed from AD after a certain period of time and removed from ISE after a certain period of time. Sometimes, these devices need to be re-added to the domain and ISE. However, if they are not in ISE and not in the domain, they cannot get on the network to get back onto the domain.

 

Our current workaround for wireless devices is to get on our guest network and then VPN and re-join to the domain.

 

The wired process is to remove 802.1X and MAB from the switchport configuration, re-join the computer to the domain, and then re-add the configuration to the switch. 

 

I would like to have an access-list that would get applied to a failed device which would allow it to be re-joined to the network without posing a high risk to the network. Does anybody have a security concern for the access-lists that are recommended today?

 

Thanks,

 

Alex

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Expert

@Alex Pfeil instead of removing dot1x from the switch port config you could use a CWA to force a user to be redirected to a Web portal to login, if successful push down a DACL which permits limited access to the network to rejoin the domain.

View solution in original post

2 REPLIES 2
Rob Ingram
VIP Expert

@Alex Pfeil instead of removing dot1x from the switch port config you could use a CWA to force a user to be redirected to a Web portal to login, if successful push down a DACL which permits limited access to the network to rejoin the domain.

Alex Pfeil
Rising star

That sounds like a great solution! I will take a look into it.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube