Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4415
Views
4
Helpful
34
Replies

ISE Posture with Non-compatible switches like Cisco 2950

Go to solution
lsin
Cisco Employee
Cisco Employee

‎08-30-2017 02:43 AM

Team,

I would like to find out following is possible for ISE posture with non-compatible switch like 2950:

Setup:

  • ISE 2.3
  • Non-compatible switch Cisco 2950

Goal:

  • Achieve posture checking on endpoint

Suggest Solution:

  • Implement AnyConnect on Endpoint for 802.1x and Posture checking
  • Use port denounce to move endpoint to  quarantine VLAN for non-compliance endpoint
  • I am not sure if this is part of SNMP CoA.  If not, is it possible to use SNMP CoA as well to achieve similar goal

Regards,

Leslie

34 Replies 34

Go to solution
Craig Hyps
Level 10
Level 10
In response to ml12129

‎07-16-2018 06:30 AM

There are additional changes required to address support for SNMP CoA with Catalyst 2950.  As I recall, the ifIndex values were simple 1, 2, 3, etc corresponding to interface number.  We current support option to swap out the leading characters of NAS Port value to address behavior of many Cisco switches, but this would not work for 2950 where need to swap all leading characters with empty string.  Per original reply, please work with account team and PM for feature prioritization.

On a related note, ISE 2.2 Posture supports provisioning and assessment without URL redirect support on access switch, but CoA is still a requirement to change authorization following successful assessment.

/Craig

0 Helpful

Go to solution
ml12129
Level 1
Level 1
In response to Craig Hyps

‎07-16-2018 10:57 PM

Thank you for your reply, so there is no hope to make 2950 support SNMP CoA?

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to ml12129

‎07-17-2018 06:03 AM

As noted, further enhancements required.  These are two which I requested:

  • CSCvb48246    ENH ISE improve port detection for cisco switches
    • Add more intelligence to determine ifIndex port versus straight regex which is prone to error, complex, and may not be possible in all cases.
  • CSCvb48180    ENH ISE SNMP support for cisco switches
    • Add support for AUTH-FRAMEWORK-MIB

The first would add more intelligence to auto-determine the SNMP ifindex without having to use regex tricks, etc.

The second would be to leverage the Cisco MIB which provides a rich set of SNMP-based CoA functions.

The last option is to further tweak the string manipulation mentioned in first reply.

Please work with Cisco account team to drive the enhancements with ISE product management team.

/Craig

Go to solution
lsin
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎07-17-2018 06:21 AM

Thanks Craig.

Regards,

Leslie

0 Helpful

Go to solution
ml12129
Level 1
Level 1
In response to Craig Hyps

‎07-18-2018 12:17 AM

Thank you, really helpful!

0 Helpful
Customers Also Viewed These Support Documents