@DamianRCL
There is still potential someone could connect an untrusted device into the network, with NAC enabled on the access layer switches, any random device that does not have a known MAC address and device fingerprint (learnt via profiling), c...
@manvik use individual local accounts in the short term. And also arranage for the other department to create a dedicated AD group for ISE administrator, this is the standard approach of delegating mgmt to ISE administrators.
@manvik any member of that group would be allowed based on that group membership.
Ideally you should create a new group and add the users that require access into that group.
@IWSup almost correct....
If there is NAT in between you and the peer you will need udp/500 and udp/4500. ESP cannot be translated and is encapsulated inside udp/4500.
If there is NO NAT between you and the peer then you need udp/500 and ESP.
Here i...
@IWSup I note you've edited your post since my last response.
Ideally you should permit from the trusted source(s) IP address to the Gi8 IP address. If permit ESP any any is already in place that will work, but you are obviously allowing from all sou...