03-21-2013 07:24 PM - edited 03-10-2019 08:13 PM
Dear team,
I am proposing ISE to customer. They want to deploy ISE as central authentication and policy point for users in branches. I would like to ask if this scenario is possible or not:
- When user client is plugged into access switch, the switch will use 802.1x or MAB in switch port
- After authentication, as normal method, we will push a dACL or VLAN change from ISE to switch in authorization statements. But customer dont want to apply port ACL on switch. They want to enforce policy from the gateway Router.
So is there any way to do that? I'm thinking about SGT but I dont have any experience on it. Please help to solve this problem. Thank you very much.
Kind regards,
Hiep Nguyen.
Solved! Go to Solution.
03-21-2013 08:46 PM
Hiep,
You can use authentication proxy to push ACLs for users on the router. However the port based ACL is your best approach because you can determine authorization at the port level and if the user moves so does the policy.
thanks,
Tarik Admani
*Please rate helpful posts*
03-21-2013 08:46 PM
Hiep,
You can use authentication proxy to push ACLs for users on the router. However the port based ACL is your best approach because you can determine authorization at the port level and if the user moves so does the policy.
thanks,
Tarik Admani
*Please rate helpful posts*
03-26-2013 08:53 PM
Thank you Tarik for your guidance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide