Solved: Re: ISE Topology

hs08 · ‎10-21-2025

In cisco ISE environment, below topology will work or not?

Core (g0/1) ------- (g0/1) Distrib (g0/24) -------- (g0/24) Access (g0/1) --------- PC

Usually i confgure the MAB on every ports in access layer, but can we enabvle only on interface g0/1 at the core?

Torbjørn · ‎10-21-2025

You could in theory do this with multi-auth enabled for the downstream interface on your core switch - It is however not a good way to solve this. For the best results you should implement authentication for endpoints on your access switches.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

View solution in original post

Torbjørn · ‎10-21-2025

Hello @hs08,

You could in theory do this with multi-auth enabled for the downstream interface on your core switch - It is however not a good way to solve this. For the best results you should implement authentication for endpoints on your access switches.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

ahollifield · ‎10-21-2025

Just because you can doesn't mean you should. Configure it correctly on the access layer.

Arne Bier · ‎10-21-2025

@hs08 - there are so many things wrong with that setup.

For NAC you need an access mode interface - you should not have access mode on a core switch linked to distribution! What kind of a design is that to allow only one VLAN.

If you perform NAC on a single interface in the core, you won't have visibility of the switch/interface for each endpoint session - you also don't have any uplink redundancy in that setup.

This has to be some esoteric lab experiment - but hopefully not a production network.

Put NAC on the access layer - for visibility, enforcement, and scalability - and to allow the rest of the network to be connected properly (trunks, port channels, etc.)