cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2581
Views
0
Helpful
1
Replies

ISE IN CLOSE MODE

kajibola
Level 1
Level 1

If you are running ISE in close mode which means you don't want to permit any traffic different from EAPoL before authentication and you also have IP Phones which are dynamically profiled using their DHCP attributes. How do you correlate.

authentication open: Although DHCP traffic is allowed and therefore IP Phones profiling using DHCP attributes work but the port is open up for other traffic before authentication. This is not acceptable.

authentication open + using default ACL: This can be used to limit the allowed traffic before authentication to DHCP but when servers are dead and critical VLAN is authorized, switchport will still be subjected to default ACL. Which means critical VLAN won't work unless default ACL is removed.

no authentication open: Will not allow DHCP traffic to pass through. Therefore, IP Phones won't be dynamically profiled.

I want to allow DHCP traffic before authentication  because of IP Phones that needed to be profiled based on DHCP attribute and I want the port to be closed to other traffic until after authentication. How can this be achieved?

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

First of all, it is the switchport, not ISE, which operates in one of the 3 modes noted above.  These are often referred to as Monitor, Low-Impact, and Closed mode.

There are methods to address port ACL in Low-Impact mode via EEM, or removal of ACL and reliance on default ACL, or Session-Aware Networking (also known as IBNS2 or new-style or CP3PL).  Even in closed mode, you can return a minimal access ACL in event device unknown.

CDP/LLDP can also be acquired in closed mode via SNMP.  There is also option to use Session-Aware Networking to force Device Sensor to send RDIUS Accounting even if Auth fails to transmit the CDP/LLDP info.

Craig

View solution in original post

1 Reply 1

Craig Hyps
Level 10
Level 10

First of all, it is the switchport, not ISE, which operates in one of the 3 modes noted above.  These are often referred to as Monitor, Low-Impact, and Closed mode.

There are methods to address port ACL in Low-Impact mode via EEM, or removal of ACL and reliance on default ACL, or Session-Aware Networking (also known as IBNS2 or new-style or CP3PL).  Even in closed mode, you can return a minimal access ACL in event device unknown.

CDP/LLDP can also be acquired in closed mode via SNMP.  There is also option to use Session-Aware Networking to force Device Sensor to send RDIUS Accounting even if Auth fails to transmit the CDP/LLDP info.

Craig