03-08-2021 02:49 PM
Hi Guys,
I have few windows 10 computers that connected to a Cisco 9300 switches and they're on VLAN 10. The switch is using TACACS in ISE for authentication. The windows computers are joined AD domain. AD users can log in to these computers just fine today.
Goal:
How do we prevent anyone to plug an unauthorized computer into the switch's ports with ISE?
Thanks.
Solved! Go to Solution.
03-09-2021 08:15 AM
You want 802.1X authentication on your switchports.
Please read ISE Secure Wired Access Prescriptive Deployment Guide for how to do this.
03-08-2021 04:49 PM
Some really good documentation to fully understand proper workflows and solutions can be found here: Cisco ISE & NAC Resources
Look under the 'Secure Wired Access' section. That should aide in fully understanding 802.1x + secure access possibilities. HTH!
03-08-2021 04:56 PM
Most use case in Enterprise Lan - by default it will be dummy VLAN if any unknown device plugs into the port, that not lead to anywhere else user not get any IP address.
Once the device authenticated ISE will allocate based on the information of the user VLAN will be allocated and SGT tags will be added so the user gets rights to access to the intent to access rights.
your access pot config very important here.
there is a good video onboarding process how it works :
https://www.youtube.com/watch?v=CbCOZh8xf2A&t=152s
03-09-2021 08:15 AM
You want 802.1X authentication on your switchports.
Please read ISE Secure Wired Access Prescriptive Deployment Guide for how to do this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide