12-18-2018 03:28 AM - edited 12-18-2018 03:45 AM
Hello,
we're currently migrating from ACS 5.8 to ISE 2.2 and I was wondering, if it is possible to profile the devices that are not authenticated on a switch interface/ISE. Our authentication is vlan-based without dACL or SGT.
Or if there is a better way to authenticate devices that can't auth with dot1x and need to have network access on startup (except changing the auth-order from dot1x mab to mab dot1x). Sometimes some of the devices won't show their mac-address for some reason, thus authentication won't work.
The first interface is our default switchport configuration and the second interface configuration is when the interface needs to be locked in a vlan for a device.
interface GigabitEthernet1/0/3
description dot1x
switchport access vlan 54
switchport mode access
switchport voice vlan 121
authentication control-direction in
authentication event server dead action authorize vlan 55
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end
interface GigabitEthernet1/0/4
description SALTO Liz-Serv
switchport access vlan 111
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky xxxx.xxxx.xxxx
switchport port-security
end
Thanks!
Solved! Go to Solution.
12-18-2018 07:27 AM
MAB is the only method to authenticate devices that do not have a supplicant. You can still profile devices so long as the MAC address of the endpoint is obtained. There are a few ways to obtain the MAC address of the endpoint: DHCP, SNMP polling, etc.
Regards,
-Tim
12-18-2018 07:05 AM
As far as I know at least MAB is required. Use monitor mode or return Permit from ISE unconditionally to avoid connectivity issues. Without an authentication request (a session) the endpoint is not added to ISE endpoint database.
12-18-2018 07:27 AM
MAB is the only method to authenticate devices that do not have a supplicant. You can still profile devices so long as the MAC address of the endpoint is obtained. There are a few ways to obtain the MAC address of the endpoint: DHCP, SNMP polling, etc.
Regards,
-Tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide