Hello
We already have ISE & WLC 802.1x working. I'm trying to roll out Wired MAB and Wired 802.1x across all of our network devices (300ish in total)
Wired 802.1x auth policy: Wired_802.1x -> EAP/PEAP/TL -> use AD
Wired 802.1x authz policy: If; Wired 802.1x AND AD Group = Users/Domain Computers -> Permit Access with dACL (dACL is permit any any)
This works fine with some caveats. It seems like there is some annoying timeout/blacklisting going on where if a device fails too many auth requests then it's just blacklisted for a random amount of time. Anywhere from 15 minutes to 45 minutes before it will suddenly start working. I've changed the timeout from 60 to 5 minutes in the Admin -> Settings -> Protocol -> Radius but it hasn't made much of a difference. Is there anything else I can change on ISE or the switches to make this better?
But my main problem: I'm using the dACL to try and get our PXE boot working. The switchport authentication is open, with an ACL that only allows DHCP/DNS/TFTP/PXE & the IP of our 'PXE Satellite' that's at each site, allowing it access (it uses a random port.) This works fine, the image downloads and starts installing BUT when it tries to register to AD; since our image doesn't have the AD certificate built in, and the device tries to register with our main asset management server and then tries to enroll in the AD group where it gets the certificate, it doesn't work because the dACL doesn't get applied and my "pre-auth ACL" blocks everything.
I'd rather not add the IPs of our domain controller to the access list because then whats the point in the port security if we're allowing access to critical IPs. Could I remove the AD lookup on the authz policy (leaving just the 802.1x check) and see if I can get our AD certificate built into our PXE image, and then the dACL should be applied once Windows boots and the Wired Auto-config service gets turned on?
Is there a better way of doing this?
Thanks