04-03-2013 07:41 AM - edited 03-10-2019 08:16 PM
I have an environment like this:
- Active Directory of Windows 2008R2 with the domain CCIESEC that also serves DNS and DHCP for clients in
the CCIESEC domain. Clients are consisting of Windows 7 64bits Enterprise. These AD servers are residing
on network 192.168.1.0/24
- An ISE appliance 3395 called ISE1 that serves as Primary Admin/Monitoring and Policy service. ISE1 is
residing on network 192.168.1.0/24
- An ISE appliance 3395 called ISE2 that servers as Secondary Admin/Monitoring and Policy service. ISE2 is
resding on network 192.168.1.0/24
- Lot of Windows 7 clients on network 192.168.2.0/24
- ISE is successfully integrated with Active Directory CCIESEC domain,
I am currently deploying ISE in "monitor" mode and on the switch, this is my configuration:
interface GigabitEthernet3/14
description test_machine
switchport
switchport access vlan 71
switchport mode access
load-interval 30
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 300
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
Everything is working fine. However, I would like to go to "low impact" mode. Here is what I have on the switch:
ip device tracking
interface GigabitEthernet3/14
description test_machine
switchport
switchport access vlan 71
switchport mode access
ip access-group allow in
load-interval 30
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 300
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
ip access-list extended allow
remark DHCP, DNS, ICMP
permit udp any eq bootpc any eq bootps log
permit udp any any eq domain log
permit icmp any any log
remark Allow Microsoft Ports (used for better login performance)
permit tcp any any eq 88 log
permit udp any any eq 88 log
permit udp any any eq ntp log
permit tcp any any eq 135 log
permit udp any any eq netbios-ns log
permit tcp any any eq 139 log
permit tcp any any eq 389 log
permit udp any any eq 389 log
permit tcp any any eq 445 log
permit tcp any any eq 636 log
permit udp any any eq 636 log
permit tcp any any eq 1025 log
permit tcp any any eq 1026 log
remark PXE / TFTP
permit udp any any eq tftp log
permit tcp any any eq 3389 log
remark deny all the rest
deny ip any any log
does it mean that the only difference between "monitor" and "low impact" mode is the ACL on the switchport interface?
thank you in advance
04-03-2013 07:43 PM
Hello David-
That is right, as far as the switch is concerned the pre-authentication ACL is the only difference. The pre-auth ACL just provides initial access to devices/users before then authenticate. Once the device/user authenticates, the pre-auth ACL will get replaced with the dACL that you defined in the authorization profile. For example, let's say that you use Ghost to remote wipe and re-image machines. You will need a method to let those machines back on the network so they can join AD, get their GPOs pushed, enrolled with certificates, etc.
I hope this helps
Thank you for rating!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide