ISE low impact mode/Closed/Monitor

minkumar · ‎08-21-2014

Can we put the the profiles one by one into closed mode in ISE

for example:

You have three rules

Group A---Switch A---DOT1X-- Low impact mode

Group B--Swicth A--DOT1X---Closed Mode

Group c-- Switch A-- DOT1X-- Monitor Mode.

- Now, after testing Low-impact mode and Monitor mode, one by one can we put them in closed mode?

Can we accomplish this, Rule by rule?

Minakshi

Saurav Lodh · ‎08-22-2014

Yes you can achieve the above as it depends on switch level configuration.

Venkatesh Attuluri · ‎08-22-2014

Deploying Monitor Mode first allows to step through all the issues, gaining visibility into successful and failed authentications, with minimal impact to the users and endpoints. Once issues have been addressed through Monitor Mode you can provide secured network access Closed Mode.
note :Closed Mode is recommended only for IT environments that are experienced with 802.1X deployments and have considered all the nuances that go along with it.In closed mode any traffic prior to authentication will be dropped, including DHCP, DNS, and Address Resolution Protocol (ARP) traffic.Make sure evry thing is sorted out

Venkatesh Attuluri · ‎10-24-2014

you can find additional information on phased deployment in here

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

mohanak · ‎08-25-2014

Please refer the document :

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_23_transitioning_monitor_mode.pdf

Phas

ed Approach