cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
203
Views
9
Helpful
8
Replies

ISE Posture in non configured ports

manvik
Level 3
Level 3

Cisco ISE running wired posture with cisco switches. What if a few switch ports were not configured for aaa/dot1x and someone connects a computer to this port.
Will ISE come to know about such a connection.
Wil the computer get network access.

1 Accepted Solution

Accepted Solutions

@manvik why does ISE need to know about the device if you are not authenticating it?

You can profile the endpoint without having AAA enabled on a port - https://community.cisco.com/t5/security-knowledge-base/profiling-wired-endpoints-without-802-1x-or-mab-using-ibns2-0/ta-p/5073148

If you wish to block access on that port, assign an ACL to that specific port.

Or configure AAA, let ISE authenticate it using 802.1X/MAB and then assign a DACL to restrict access.

View solution in original post

8 Replies 8

@manvik if those ports are not configured for AAA (802.1X or MAB) then no authentication requests will be sent to ISE and they will get network access, this assumes the access VLAN is configured correctly and they receive and IP address.

Thanks for the quick reply. it's a static IP environment. Any method to block access here.
Can ISE come to know about such a connection?

@manvik why does ISE need to know about the device if you are not authenticating it?

You can profile the endpoint without having AAA enabled on a port - https://community.cisco.com/t5/security-knowledge-base/profiling-wired-endpoints-without-802-1x-or-mab-using-ibns2-0/ta-p/5073148

If you wish to block access on that port, assign an ACL to that specific port.

Or configure AAA, let ISE authenticate it using 802.1X/MAB and then assign a DACL to restrict access.

What you meaning IP static ?

Why you not add dot1x in these port? 

You can config ISE for mab and use condition in authc/authz match specific port.

MHM

thomas
Cisco Employee
Cisco Employee

ISE cannot know about or control a port if you do not configure authentication. RADIUS is how it controls each session on a port. You cannot expect ISE to do it's job if you forget/refuse to configure the feature on the port to use it.

Without RADIUS AAA, all security capabilities of the network device are still at your disposal: static VLANs, ACLs, SGTs, port-security, and of course shutdown

As already mentioned, if the switch ports are not configured with dot1x or MAB so the authentication session coming through those ports won't be relayed to ISE then ISE will have no control on that traffic. If you have all the end users ports configured with aaa then you shouldn't worry about the scenario you mentioned, that depends obv on how ISE policies are configured, but the purpose of deploying dot1x and MAB is to only allow the authorized accesses to the nework. However, if you have some ports without aaa configuration then you can place them in a dead VLAN or shut them down.

manvik
Level 3
Level 3

Thanks folks, what would be an ideal solution to alert new connections in a network switch. 

@manvik you could use SYSLOG?