cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1469
Views
15
Helpful
3
Replies

ISE Third party support

Hi there, and thank you for reading.

 

Been out of IT infrastructure for a number of years and struggling to get up to speed rapidly.

Im looking at an existing ICE system supporting AAA/ Profiling/BTOD/Guest/Posture services.

We are looking to add some third party switch hardware and door access/cctv endpoints, which we want to be complient with ICE. Am I understanding correctly that the switches just need to support 802.1X, or that need to support 802.1X and have RADIUS and TACACS integration built in?

Do I also understand correctly that ICE can have exceptions for certain nodes and endpoints if there are compatibility issues, but any new devices added to those nodes, a bad actor or such would still be blocked by ICE?

 

Many thanks in Advance

Fraser

3 REPLIES 3
marce1000
VIP Advisor

balaji.bandi
VIP Expert

here is the device matrix based on the version of ISE you running

 

https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Mike.Cifelli
VIP Advocate

On top of the links provided take a peek at the ISE Resources links at the top of the 'Network Access Control' community forum as there are really good examples and guides there.  Also, for free tutorials for ISE config demos take a look at: Video: Security | Lab Minutes

Am I understanding correctly that the switches just need to support 802.1X, or that need to support 802.1X and have RADIUS and TACACS integration built in?

-Yes.  Devices will need to be able to support dot1x and radius.  Radius is used between the authenticator (switch) and ISE (authentication server).  Note there are specific licenses (Base) needed to support your typical AAA services.

Do I also understand correctly that ICE can have exceptions for certain nodes and endpoints if there are compatibility issues, but any new devices added to those nodes, a bad actor or such would still be blocked by ICE?

-Yes.  You will utilize your policy sets to steer policy and allow (authorize) good known clients onto the network.  Bad actors should not match any policies and hit the default policy which should be secured (deny access).

HTH!

 

Content for Community-Ad