Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Understanding integration of Juniper switches with ISE

Hi Experts,

I want some inputs on integrating Juniper switches with ISE.

I understand that when working with ISE and Cisco switches, we first deploy a ACL, which is then applied to the endpoint, so that the endpoint is able to communicate with DNS, DHCP and ISE server, right?

But, when I started working with the Juniper engineer to configure and integrate the switch with ISE, they said that is not how it works with Juniper OS.

 I need to be assisting them on integrating and testing first a few set of switches to allow them integrate rest of some odd 100 switches with ISE.

Is there any step by step guide and a pre-requisites that I could refer to get to speed?


Any pointers and suggestion appreciated.


Thank you,

Cisco Employee

Thank you for the document, it was a big help for me to get started on the configuration.

I was also able to get the authentication working along with plain authorization and putting the user in access VLAN.

But, when I configured the policies for Unknown posture, the posture never happened and AnyConnect was showing no policy server detected! Where as the live logs showed Pending for posture.

For the Unknown posture check, I have put in the same access VLAN as in the full access policy.


I am not sure why its not working?!

Is this an accepted behavior?

Any pointers or suggestion appreciated.


I can't help you on the Juniper side, but your understanding of how it works on the Cisco switch side is not quite right.  In Cisco terminology there are three deployment modes for a wired deployment:


  1. Monitor mode- switchport is open with no preauth ACL.  When we install ISE we just call this open mode because we never use the next mode.  In open mode with legacy templates a MAB device will have 20-30 seconds of full network access before Dot1x fails over to MAB and authentication occurs.
  2. Low Impact- switchport is open but there is a preauth ACL to limit access prior to authentication.  We never use this mode because of the extra config required to get the preauth ACL off the interface in the event ISE is down.  
  3. High Security (Closed mode)- switchport is closed and no traffic is allowed (in legacy template) prior to authentication.  


Yes, we do have three modes before we go into closed mode.

The point that I am stuck was with if there were any such modes on Juniper switches as well...

As at the moment we are struggling to figure out what could be the basic pre-requisites that we need to follow before going for production.

I will go through the guide as well from the previous as well to check out.

HI Dgaikwad,

Have you ever resolved this issue? I am doing POC for our company now, and seems like there is low guide we can check when configuring ISE Posture to Juniper switches from the internet.
Content for Community-Ad