Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

yuxiang zhou

ISE and Symantec SEP 11 Interworkering Question

Hi guys,

I have a question about ISE and Symantec SEP 11.

In my customer envrionment, they want to build a wireless byod work place.  But the endpoints are installed SEP software.

Do you know the workflow for the SEP, when it check the system is not secrity then put my endpoints to the guest VLAN.

In my opinion, the endpoints should authenticationed and authorized by ISE first.

Then, the endpoints should connect to internet successfully.

Now, if the endpoints using SEP software to check the system status.

What should the SEP do if the system is not safe?

Is the SEP return a signal to Switch, let it change the Vlan configuration of the interface to the Guest Vlan ?

But this action will cause the AP disconnect to the WLC, and makes all the clients which is connect to this AP is disconnect.

Somebody knows it ?

Thank you !

Chetan Savade


Could you please update how endpoints should authenticationed and authorized by ISE first ?

As per my knowledge endpoint can not authenticate with only Symantec Endpoint Protection Manager.

If endpoint is installed along with SNAC then can set the conditions, but need to check in details.



HI Chetan,

Thanks for your reply.

I've search the SEP web site and found some work flow. And I combine them to my environment.

I'm not sure it's right, the flow is:

1. Client computer connects and send logon through EAP.

2. The WLC forwards the user name and passwrod to the LAN Enforcer.

3. The LAN Enforcer forwards the username and password to the ISE server.

4. The ISE server generates and EAP challenge.

5. The LAN Enforcer receives the EAP challenge and adds the Host Integrity check.

6. The LAN Enforcer checks the Host Integrity results and forwards them to the ISE server.

7. The ISE server performs EAP authentication and sends the result to the LAN Enforcer.

8. The LAN Enforcer receives the authenticaiton result and forwards it and the action to take to the WLC.

9. If the client passes the EAP and Host Integrity challenges, the WLC allows network access.


But when i configure the WLC, the RADIUS server address is the ISE server ip address. That means WLC forwards the username and password to the ISE server directly, and it will not through to the LAN Enforcer.

So this is very confused me.

Do you know why?

Thank you !




Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (50%)

Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel