Hi Cisco Communities,

I would like to know your opionion (ISE veterans ) about this implementation that I need to design for an existing ISE installation. (two VM nodes Active/standby ISE version 2.1 patch 1):

REQUIREMENTS :

1. Non-domain client PCs should have CWA process with AD credentials or Sponsored credentials ( if CWA is successful then give Internet Access to the client)
2. Domain client PCs should have 802.1X suppplicant enabled by AD GPO and follow 802.1X authentication through EAP-PEAP (if success then FULL ACCESS = Internet connectivity + full network access to company asset

I would like to know your opinion about these two possibilities :

OPTION A (VLAN Change + DACL) :

• All switch ports in a dummy VLAN by default, that have no internal network access and no Internet access in terms of ACLs. (dot1x first than if fails  go with mab in order to trigger CWA)
• if client is domain PC and 802.1x success than apply DACL with full  network access
• if client is domain PC and 802.1x fails than go with mab in order to trigger CWA
• If client is domain PC OR non-domain PC and  CWA success than apply DACL in order to give Internet Access
• if client is domain PC OR non-domain PC and CWA fails than no access

OPTION B (SGT reassignment):

• All switch ports defined with a static SGT tag (that have no internal network access and no Internet access in terms of ACLs)
• if client is domain PC and 802.1x success than apply new SGT tag with full  network access
• if client is domain PC and 802.1x fails than go with mab in order to trigger CWA
• If client is domain PC OR non-domain PC and  CWA success than apply new SGT tag in order to give Internet Access
• if client is domain PC OR non-domain PC and CWA fails than no access.

Thanks,

M.