06-06-2017 05:13 PM - edited 03-11-2019 12:46 AM
Hi,
I have a question if someone can help me out..
I have ISE to perform CoA for the switches which will push DACL on the switches.. ISE is managed by third party in shared environment.
To protect the network, I have been asked to change the switch configuration for either for the following
- control CoA to make sure what CoA can be pushed to the switches.. they only want CoA to change VLAN and use the ACL on VLAN to control the traffic on the VLAN rather then ISE to allow Dacl.
or
- Configure the switch in a way that based on the Radius reply it can perform the require action ..
I have no idea and my google got me no where to find out what can be done.
Can someone please help me out with this one?
Thanks,
Nilay.
06-11-2017 07:50 PM
Once you have allowed ISE to act as the Authorization server for the switch and put a given interface under port control, I don't believe you can restrict what actions (among the supported ones) that ISE may perform.
In other words, it's all or none regarding CoA.
06-11-2017 09:23 PM
Sweet.. Thanks for clarification .. that one thing..
so do I have any option on switch port configuration to replicate what CoA suppose to do..
I mean I get reply from ISE.. authentication yes or no.. and then switch port configuration to decide whether to block, allow or change the switch port in remediation VLAN to update the antivirus?
just wondering.. The logic is radius says yes or no so based on that I can do either allow or block..I can start with block and if it allows I will just move them to allow VLAN.. but I want to see what are the options here.
ta
Nilay.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide