Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE wired configuration for imaging


I have a customer who wants to implement ISE on their wired network but they are very particular regarding their machine imaging process. I have given them alternatives as far as configuration is concerned but from their perspective all I have presented have shortcomings. Example alternatives given so far:-

Access list ACL-DEFAULT allows necessary traffic for imaging through - least appealing.

Use MAB to identify the machines and drop them into a VLAN which allows access - problem of identifying the machines in order to put them into an appropriate database.

Identify the switches the devices to be imaged are attached to and use Prime to manipulate the switch configuration appropriately - involves more than one division of the IT department.

Has anyone else come up with a scheme for allowing the required traffic through to imaging services whilst retaining the integrity of the security solution? Ideally I'd like to be able to cover off both the imaging of suites and individual machines.






There is a possiblility you

There is a possiblility you could do profiling using the DHCP class-ID (PXE boot). Based on that profiling you could give the precise access required. It all depends on the imaging setup been used but there is most likely a differentiating factor that would allow you to do this.

Rising star

Yes, if you are using a PXE

Yes, if you are using a PXE type imaging software like altiris or microsofts pxe solution, you can incorporate 802.1x authentication in the PXE image, and in the unattended script which runs the first time the machine boots after getting the image from the PXE server. This way, you in most caes only need the tftp ports that pxe boot uses to get the pxe image with. If your solution uses a WinPE type PXE image version 5.0 and higher, this is pretty the same as configuring windows to do 802.1x

This document has some pretty decent explanations of hpw this can be done :