Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2245
Views
0
Helpful
4
Replies

Cisco ISE switch configuration

Go to solution
Marcus Peck
Level 1
Level 1

‎11-19-2015 07:53 PM - edited ‎03-10-2019 11:15 PM

Hi experts,

I have got the following network in brief:

Devices -> Access Switch -> Core Switch -> Access Switch -> ISE Server

All switches are IOS capable for the 802.1X and AAA configurations for ISE to manage the network devices. However, I have read through guide on the switches configuration in preparation for CIsco ISE deployment but I am just wondering do I need to configure both access switches and Core switches or do I only configure the access switches for ISE?

Thanks for your time reading!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vivek Ganapathi
Level 4
Level 4
In response to Marcus Peck

‎11-22-2015 08:14 PM

If all the clients are non-DHCP clients, then there is no configuration on core or distribution at all.

But you may need to look out for different profiling options if the clients are not DHCP enabled. Does the access switch support IOS sensor function? Would be very useful to have one as it would send important profiling information to ISE. You may need to use a right profiling options for ISE to determine the endpoint details.

Regards

Vivek

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jay233
Level 1
Level 1

‎11-20-2015 03:04 AM

Hi,

To authenticate clients you only need to configure the device (NAS) that will be passing the radius packet to your ISE (radius server) often secured by way of a mutually configured secret key on both devices (authenticator and the authentication server)  .

An example of a NAS would be access switch, WLC.

0 Helpful

Go to solution
Vivek Ganapathi
Level 4
Level 4

‎11-22-2015 07:34 PM

Hi Marcus,

It depends on your network design. If all the endpoints gets connected to access switch only, then the major piece of configuration goes on the access switch. Depending on our profiling setup on ISE, if you are using a DHCP profiling option, then you need to ensure that the ISE PSN IP or virtual IP (if Load balanced), is configured as a IP helper on the L3 SVI which might be on your Core switch.

Hope this helps.

Regards

Vivek

0 Helpful

Go to solution
Marcus Peck
Level 1
Level 1
In response to Vivek Ganapathi

‎11-22-2015 07:56 PM

Hi Vivek, thanks for your reply. The reason I asked this question is because I do not know if the L3 core needs any sort of configuration for the profiling and the NAC to work on the access layer switches connected to it? All endpoints are connected to the access switches as pointed out in my first post and all endpoints are non-dhcp clients. I do know that the Access switches needs to be configured accordingly but how about those switches without any endpoints (e.g. Core switches and distribution)?
0 Helpful

Go to solution
Vivek Ganapathi
Level 4
Level 4
In response to Marcus Peck

‎11-22-2015 08:14 PM

If all the clients are non-DHCP clients, then there is no configuration on core or distribution at all.

But you may need to look out for different profiling options if the clients are not DHCP enabled. Does the access switch support IOS sensor function? Would be very useful to have one as it would send important profiling information to ISE. You may need to use a right profiling options for ISE to determine the endpoint details.

Regards

Vivek

0 Helpful
Customers Also Viewed These Support Documents