question and help about about ISE deployment in low-impact mode

david.tran · ‎04-03-2013

I have an environment like this:

- Active Directory of Windows 2008R2 with the domain CCIESEC that also serves DNS and DHCP for clients in

the CCIESEC domain. Clients are consisting of Windows 7 64bits Enterprise. These AD servers are residing

on network 192.168.1.0/24

- An ISE appliance 3395 called ISE1 that serves as Primary Admin/Monitoring and Policy service. ISE1 is

residing on network 192.168.1.0/24

- An ISE appliance 3395 called ISE2 that servers as Secondary Admin/Monitoring and Policy service. ISE2 is

resding on network 192.168.1.0/24

- Lot of Windows 7 clients on network 192.168.2.0/24

- ISE is successfully integrated with Active Directory CCIESEC domain,

I am currently deploying ISE in "monitor" mode and on the switch, this is my configuration:

interface GigabitEthernet3/14

description test_machine

switchport

switchport access vlan 71

switchport mode access

load-interval 30

authentication event fail action next-method

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x

authentication priority mab dot1x

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity 300

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast edge

Everything is working fine. However, I would like to go to "low impact" mode. Here is what I have on the switch:

ip device tracking

interface GigabitEthernet3/14

description test_machine

switchport

switchport access vlan 71

switchport mode access

ip access-group allow in

load-interval 30

authentication event fail action next-method

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x

authentication priority mab dot1x

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity 300

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast edge

ip access-list extended allow

remark DHCP, DNS, ICMP

permit udp any eq bootpc any eq bootps log

permit udp any any eq domain log

permit icmp any any log

remark Allow Microsoft Ports (used for better login performance)

permit tcp any any eq 88 log

permit udp any any eq 88 log

permit udp any any eq ntp log

permit tcp any any eq 135 log

permit udp any any eq netbios-ns log

permit tcp any any eq 139 log

permit tcp any any eq 389 log

permit udp any any eq 389 log

permit tcp any any eq 445 log

permit tcp any any eq 636 log

permit udp any any eq 636 log

permit tcp any any eq 1025 log

permit tcp any any eq 1026 log

remark PXE / TFTP

permit udp any any eq tftp log

permit tcp any any eq 3389 log

remark deny all the rest

deny ip any any log

does it mean that the only difference between "monitor" and "low impact" mode is the ACL on the switchport interface?

thank you in advance

nspasov · ‎04-03-2013

Hello David-

That is right, as far as the switch is concerned the pre-authentication ACL is the only difference. The pre-auth ACL just provides initial access to devices/users before then authenticate. Once the device/user authenticates, the pre-auth ACL will get replaced with the dACL that you defined in the authorization profile. For example, let's say that you use Ghost to remote wipe and re-image machines. You will need a method to let those machines back on the network so they can join AD, get their GPOs pushed, enrolled with certificates, etc.

I hope this helps

Thank you for rating!