06-25-2019 07:42 AM
Our desktop team has recently approached us stating they are changing the pc rebuild process. The current process if for them to physically remove the desktop and take them to out staging area, which has non-ise configured ports for them to use.
Now they want to be able to PXE boot on the ISE configured dot1x ports and build this way. So far we're having no luck as ISE is putting them in the default policy which has a dACL of "Internet Only". The build process does not have a certificate currently until it joins the domain during the final step of the build process. Just wondering if there was any good documentation / suggestions on the best practices or ways to make this work
Here is our basic access port config:
interface GigabitEthernet2/0/41
switchport access vlan
switchport mode access
switchport voice vlan
device-tracking
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 10
dot1x timeout ratelimit-period 300
dot1x timeout held-period 300
auto qos trust dscp
spanning-tree portfast
end
Solved! Go to Solution.
06-25-2019 08:41 AM
06-26-2019 07:10 AM
You will need to tilize low-impact mode instead of closed mode. With closed mode (your configuration) only EAPoL traffic is allowed on the port until a successful authentication is completed. With low-impact mode you define a pre-auth ACL that can allow additional traffic such as PXE. For more info you can take a look at this old but very good document:
I hope this helps!
Thank you for rating helpful posts!
06-25-2019 08:41 AM
06-25-2019 02:58 PM
06-26-2019 07:10 AM
You will need to tilize low-impact mode instead of closed mode. With closed mode (your configuration) only EAPoL traffic is allowed on the port until a successful authentication is completed. With low-impact mode you define a pre-auth ACL that can allow additional traffic such as PXE. For more info you can take a look at this old but very good document:
I hope this helps!
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide