Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4614
Views
10
Helpful
5
Replies

Switch configuration required for ISE

Go to solution
sajid231088
Level 1
Level 1

‎09-25-2018 11:14 AM

Hi All,

 

Hope you all are doing good.

 

Please help me on below requirement.

 

We are looking for a 802.1x setup for Wired and Wireless in that we want to have 4 vlans, one vlan for wired dot1x and second vlan for wireless dot1x, third and fourth vlan would be Quarantine vlan, one for Wire and another one for Wireless.

 

Why we need this because our requirement is like that whenever any user connects to our networks irrespective of Wired and wireless we want to put him/her into quarantine vlan first, in quarantine vlan all posture operation should happen, once device become COMPLAINT then it should move into our corporate Wired/Wireless network or if its not COMPLAINT then it should have limited access to our network from where device will get the required things to become complaint.

 

I know the configuration of ISE but not sure in Switch configuration, So any one help me in complete switch configuration from start.

 

we have One Core SW(3560) and one Access switch(2960) for testing.

Confused in, on which switch i should create all vlans, will it be on core or access and what ports i should put in what vlan.

 

I wan't to have DHCP also on my core switch for all vlans.

 

Request you all to help me on this.

 

Thanks in advance.

 

Regards

Sajid

 

 

 

 

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to sajid231088

‎09-26-2018 02:09 PM

I'll answer your question.
1. If you need to create Layer 3 interface on the core you'll need the vlan there and as your machine will be connected on your access switch then you need there also. Between the core and access you gonna have a trunk interface with all vlans.
2. SVI: Yes there are Layer 3 interface. this means Switch Virtual Interface (interface vlan)
3. haveing the quarantine vlan as default will be for all switches and ports where you want to implement dot1x (then yes on core if you have some users connected on it and yes for access)

Here some documentation on how to configure your switch for 802.1x:
- IBNS 2.0: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-729965.html ==> With version 12, it's not gonna work
- Legacy: https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515

You will learn by reading them instead of copy/paste a posted config.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

5 Replies 5

Go to solution
sajid231088
Level 1
Level 1
In response to Timothy Abbott

‎09-25-2018 08:38 PM

Hi Tim,

Thanks for your prompt response, i check the link but couldn't find proper solution, I am looking for a switch configuration from start to end.

Regards
Sajid
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎09-25-2018 05:20 PM

Hi

 

What exact version are you using and what exact model? I'm asking this to give you a config snippet using legacy or IBNS2.0 (if supported).

At high level:

- you create vlans on both core and access switches

- you create your SVI on your core switch

- You can pre-setup all ports to be in quarantine vlan and then you'll change it depending on your posture status.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
sajid231088
Level 1
Level 1
In response to Francesco Molino

‎09-26-2018 01:33 AM

Hi Francesco,

Thanks for your response.

Please find below details.

Core Switch : Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M),
Version 15.0(2)SE11

Access Switch : Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M),
Version 12.2(52)SE, RELEASE SOFTWARE (fc3)

Please find below response in Green Text.

- you create vlans on both core and access switches

You mean to say that i need to create all four Vlans on both switches, is it
?

- you create your SVI on your core switch

You mean to say L3 Interface ( Interface VLAN X). Right ?

- You can pre-setup all ports to be in quarantine vlan and then you'll
change it depending on your posture status.

This should be on core switch or Access Switch

Thanks.
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to sajid231088

‎09-26-2018 02:09 PM

I'll answer your question.
1. If you need to create Layer 3 interface on the core you'll need the vlan there and as your machine will be connected on your access switch then you need there also. Between the core and access you gonna have a trunk interface with all vlans.
2. SVI: Yes there are Layer 3 interface. this means Switch Virtual Interface (interface vlan)
3. haveing the quarantine vlan as default will be for all switches and ports where you want to implement dot1x (then yes on core if you have some users connected on it and yes for access)

Here some documentation on how to configure your switch for 802.1x:
- IBNS 2.0: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-729965.html ==> With version 12, it's not gonna work
- Legacy: https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515

You will learn by reading them instead of copy/paste a posted config.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents