01-15-2025 04:39 AM
Cisco ISE running wired posture with cisco switches. What if a few switch ports were not configured for aaa/dot1x and someone connects a computer to this port.
Will ISE come to know about such a connection.
Wil the computer get network access.
Solved! Go to Solution.
01-15-2025 04:52 AM
@manvik why does ISE need to know about the device if you are not authenticating it?
You can profile the endpoint without having AAA enabled on a port - https://community.cisco.com/t5/security-knowledge-base/profiling-wired-endpoints-without-802-1x-or-mab-using-ibns2-0/ta-p/5073148
If you wish to block access on that port, assign an ACL to that specific port.
Or configure AAA, let ISE authenticate it using 802.1X/MAB and then assign a DACL to restrict access.
01-15-2025 04:42 AM
@manvik if those ports are not configured for AAA (802.1X or MAB) then no authentication requests will be sent to ISE and they will get network access, this assumes the access VLAN is configured correctly and they receive and IP address.
01-15-2025 04:46 AM
Thanks for the quick reply. it's a static IP environment. Any method to block access here.
Can ISE come to know about such a connection?
01-15-2025 04:52 AM
@manvik why does ISE need to know about the device if you are not authenticating it?
You can profile the endpoint without having AAA enabled on a port - https://community.cisco.com/t5/security-knowledge-base/profiling-wired-endpoints-without-802-1x-or-mab-using-ibns2-0/ta-p/5073148
If you wish to block access on that port, assign an ACL to that specific port.
Or configure AAA, let ISE authenticate it using 802.1X/MAB and then assign a DACL to restrict access.
01-15-2025 05:43 AM
What you meaning IP static ?
Why you not add dot1x in these port?
You can config ISE for mab and use condition in authc/authz match specific port.
MHM
01-15-2025 06:02 AM
ISE cannot know about or control a port if you do not configure authentication. RADIUS is how it controls each session on a port. You cannot expect ISE to do it's job if you forget/refuse to configure the feature on the port to use it.
Without RADIUS AAA, all security capabilities of the network device are still at your disposal: static VLANs, ACLs, SGTs, port-security, and of course shutdown
01-15-2025 07:45 AM
As already mentioned, if the switch ports are not configured with dot1x or MAB so the authentication session coming through those ports won't be relayed to ISE then ISE will have no control on that traffic. If you have all the end users ports configured with aaa then you shouldn't worry about the scenario you mentioned, that depends obv on how ISE policies are configured, but the purpose of deploying dot1x and MAB is to only allow the authorized accesses to the nework. However, if you have some ports without aaa configuration then you can place them in a dead VLAN or shut them down.
01-16-2025 04:48 AM
Thanks folks, what would be an ideal solution to alert new connections in a network switch.
01-16-2025 04:54 AM
@manvik you could use SYSLOG?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide