Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2173
Views
0
Helpful
4
Replies

ISE - Deploy Internet Access Wired GUEST

Go to solution
Kalimoz
Level 1
Level 1

‎10-16-2020 04:29 AM - edited ‎10-16-2020 04:31 AM

Hello all,

Im having a huge struggle to deploy the cenario i want in ISE.

 

So i have dot1x and MAB working fine, the problem is when i want someone from outside the company plugs the cable (even if they don't belong to AD and not having the MAC associated with ISE) have access only to internet.

I'm not able to do this in ISE. Is it possible?

 

PC(outside company) -----> PLUGS CABLE -------> ISE ------> Give him VLAN (example 20) only internet access -----> Happy PC

Is it possible?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Kalimoz

‎10-16-2020 05:10 AM

Yes, or if you have an unused VLAN, remediation VLAN for example that only has access to internet, you could push the devices into that VLAN.  If you do not have a remediation VLAN then a dACL will do the trick.  I find that many do not have a VLAN for unauthorized devices already configured which is why I recommended the dACL approach. 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marius Gunnerud
VIP
VIP

‎10-16-2020 04:33 AM

Of course this is possible and it is also a good practice.  How are you currently classifying your company devices using dot1x and or MAB?

If you have dot1x and MAB setup correctly, you only need to configure a catch all rule that sends a dACL that only allows internet access to the switch port

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Kalimoz
Level 1
Level 1
In response to Marius Gunnerud

‎10-16-2020 05:06 AM

Hello Marius,

 

Thank you for the reply.

The condition i have for the dot1x is based on Location and Equipment, this is the same for MAB

 

For dot1x Pcs company need to validate de certificafe and user based on AD

For MAB is only based on MAC imported to the list (Like Printers / Cameras etc) each one with their respective profile.

 

So what i can interper in what you say is like create an Authorization policy based on Location or Devices and use like VLAN 20 and dACL on it?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Kalimoz

‎10-16-2020 05:10 AM

Yes, or if you have an unused VLAN, remediation VLAN for example that only has access to internet, you could push the devices into that VLAN.  If you do not have a remediation VLAN then a dACL will do the trick.  I find that many do not have a VLAN for unauthorized devices already configured which is why I recommended the dACL approach. 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Kalimoz
Level 1
Level 1
In response to Marius Gunnerud

‎10-16-2020 05:34 AM

Thank you Marius,

Will try that approach

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card