Solved: Re: Understanding integration of Juniper switches with ISE

dgaikwad · ‎08-28-2018

Hi Experts,

I want some inputs on integrating Juniper switches with ISE.

I understand that when working with ISE and Cisco switches, we first deploy a ACL, which is then applied to the endpoint, so that the endpoint is able to communicate with DNS, DHCP and ISE server, right?

But, when I started working with the Juniper engineer to configure and integrate the switch with ISE, they said that is not how it works with Juniper OS.

I need to be assisting them on integrating and testing first a few set of switches to allow them integrate rest of some odd 100 switches with ISE.

Is there any step by step guide and a pre-requisites that I could refer to get to speed?

Any pointers and suggestion appreciated.

Thank you,

Mitesh Manwatkar · ‎01-13-2022

Hello All,

Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Juniper EX 2300 switch to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnect 4.9 NAM , Posture and compatible compliance module)

I was able to perform all the requirements of client successfully.

Most challenging part of to achieve seamless posture assessment using dynamic URL redirect.

Attaching the document which can guide everyone to configure the same. Hope it helps.

Regards,

Mitesh Manwatkar

View solution in original post

hslai · ‎08-29-2018

Take a look at Juniper with ISE 2.0+ Configuration Guide

dgaikwad · ‎09-11-2018

Thank you for the document, it was a big help for me to get started on the configuration.

I was also able to get the authentication working along with plain authorization and putting the user in access VLAN.

But, when I configured the policies for Unknown posture, the posture never happened and AnyConnect was showing no policy server detected! Where as the live logs showed Pending for posture.

For the Unknown posture check, I have put in the same access VLAN as in the full access policy.

I am not sure why its not working?!

Is this an accepted behavior?

Any pointers or suggestion appreciated.

paul · ‎08-29-2018

I can't help you on the Juniper side, but your understanding of how it works on the Cisco switch side is not quite right. In Cisco terminology there are three deployment modes for a wired deployment:

Monitor mode- switchport is open with no preauth ACL. When we install ISE we just call this open mode because we never use the next mode. In open mode with legacy templates a MAB device will have 20-30 seconds of full network access before Dot1x fails over to MAB and authentication occurs.
Low Impact- switchport is open but there is a preauth ACL to limit access prior to authentication. We never use this mode because of the extra config required to get the preauth ACL off the interface in the event ISE is down.
High Security (Closed mode)- switchport is closed and no traffic is allowed (in legacy template) prior to authentication.

dgaikwad · ‎08-31-2018

Yes, we do have three modes before we go into closed mode.

The point that I am stuck was with if there were any such modes on Juniper switches as well...

As at the moment we are struggling to figure out what could be the basic pre-requisites that we need to follow before going for production.

I will go through the guide as well from the previous as well to check out.

misinsuan2229 · ‎11-25-2018

HI Dgaikwad,

Have you ever resolved this issue? I am doing POC for our company now, and seems like there is low guide we can check when configuring ISE Posture to Juniper switches from the internet.

Mitesh Manwatkar · ‎01-13-2022