ip device tracking and ISE

Sp@wn · ‎03-08-2019

Hi,

What is the importance of ip device tracking for CISCO ISE? Because in the cisco switch version 16.6.x and later, the ip device tracking is forcing the authentication mode to switch from the legacy mode to new-style (C3PL)configuration mode. Can we do ISE configuration without using ip device tracking on the switch? If we have to use ip device tracking, is there any confirmed C3PL ISE configuration for 3650-3850 switches?

Regards,

Sp@wn

ognyan.totev · ‎03-08-2019

Hi , that is not true. I have 3650 version 16.6.7 and i apply device tracking. There is a little difference. With this switches they comming with default device-tracking policy. I modified it a little . Conf t , device-tracking policy ISE , and ypu can config like ypu want . And attach it to the port . Interface gi 1/1/1

device-tracking policy Ise

Damien Miller · ‎03-09-2019

I agree with ognyan here, while it's policy based IPDT, you can still use IBNS 1.0 configs with it. I have done just that many times on 16.6.x, old style IBNS 1 config with a new IPDT policy. What I don't like is that when we upgrade from 3.x, we have to manually do this.

Now you might use
!
device-tracking policy DOT1X_INTERFACE
security-level glean
no protocol ndp
no protocol udp
tracking enable reachable-lifetime 10
!
int x/x/x
device-tracking attach-policy DOT1X_INTERFACE

Sp@wn · ‎03-12-2019

Also, I am using the 802.1x feature on the switch, and one of the authentication / authorization commands may be changing the switch configuration mode. I think it's my fault. Thanks for the explanations.