Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
5
Helpful
2
Replies

ISE device information for non-auth interfaces

Go to solution
Maxee
Level 1
Level 1

‎12-18-2018 03:28 AM - edited ‎12-18-2018 03:45 AM

Hello,

 

we're currently migrating from ACS 5.8 to ISE 2.2 and I was wondering, if it is possible to profile the devices that are not authenticated on a switch interface/ISE. Our authentication is vlan-based without dACL or SGT.

Or if there is a better way to authenticate devices that can't auth with dot1x and need to have network access on startup (except changing the auth-order from dot1x mab to mab dot1x). Sometimes some of the devices won't show their mac-address for some reason, thus authentication won't work.

 

The first interface is our default switchport configuration and the second interface configuration is when the interface needs to be locked in a vlan for a device.

 

interface GigabitEthernet1/0/3
 description dot1x
 switchport access vlan 54
 switchport mode access
 switchport voice vlan 121
 authentication control-direction in
 authentication event server dead action authorize vlan 55
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
end

 

interface GigabitEthernet1/0/4
 description SALTO Liz-Serv
 switchport access vlan 111
 switchport mode access
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky xxxx.xxxx.xxxx
 switchport port-security
end

 

Thanks!

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎12-18-2018 07:27 AM

MAB is the only method to authenticate devices that do not have a supplicant.  You can still profile devices so long as the MAC address of the endpoint is obtained.  There are a few ways to obtain the MAC address of the endpoint:  DHCP, SNMP polling, etc.

 

Regards,

-Tim

View solution in original post

2 Replies 2

Go to solution
Peter Koltl
Level 7
Level 7

‎12-18-2018 07:05 AM

As far as I know at least MAB is required. Use monitor mode or return Permit from ISE unconditionally to avoid connectivity issues. Without an authentication request (a session) the endpoint is not added to ISE endpoint database.

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎12-18-2018 07:27 AM

MAB is the only method to authenticate devices that do not have a supplicant.  You can still profile devices so long as the MAC address of the endpoint is obtained.  There are a few ways to obtain the MAC address of the endpoint:  DHCP, SNMP polling, etc.

 

Regards,

-Tim

Customers Also Viewed These Support Documents