Solved: Re: Some ISE feature questions

tarek.krull · ‎04-11-2013

Hello guys,

I am relatively new to the ISE and would like to get some answers about features and administration, I couldn't find in the documentation. Would be great if you could help me out :-).

1. I would like to use MAB for printers and all other non cabable dot1x devices

- Is there a way to automate MAC address collection? Otherwise I would have to manually create identitys for every single device (like a wizzard or something, not .csv )

- If MAB is used, does ISE have something like a timestamp feature, where I can detect "dead" devices

2. We are using private VLANs for guest access (just isolated or protected port on 2960s)

- Does dynamic VLAN port configuration work with ISE?

Thanks and best regards,

Tarek

Ryan Wolfe · ‎04-12-2013

Hi Tarek,

As far as automating MAC address collection for use in MAB, there is not a solution built into ISE for this. However, you could minimize the amount of work you would have to do by doing something like sticky MACs with port-security to initially grab a the MACs, then just pull them out of the config to put into ISE manually. Even easier, clear your arp cache and pull them from there after it rebuilds. Do a little cleanup and there you go. It's not as automated as you'd probably like, but it's better than just doing it one by one.

For the PVLANs, I can't speak with confidence, but I can say that I don't believe it can dynamically assign PVLANs. I guess it is possible, but I haven't seen anything where it has been done. I don't think that it can dynamically build the associations required for PVLANs. I would enjoy being told I was wrong on this one, though.

Hope that helps,

Ryan

View solution in original post

Ryan Wolfe · ‎04-12-2013

Hi Tarek,

As far as automating MAC address collection for use in MAB, there is not a solution built into ISE for this. However, you could minimize the amount of work you would have to do by doing something like sticky MACs with port-security to initially grab a the MACs, then just pull them out of the config to put into ISE manually. Even easier, clear your arp cache and pull them from there after it rebuilds. Do a little cleanup and there you go. It's not as automated as you'd probably like, but it's better than just doing it one by one.

For the PVLANs, I can't speak with confidence, but I can say that I don't believe it can dynamically assign PVLANs. I guess it is possible, but I haven't seen anything where it has been done. I don't think that it can dynamically build the associations required for PVLANs. I would enjoy being told I was wrong on this one, though.

Hope that helps,

Ryan

Venkatesh Attuluri · ‎04-15-2013

Automatic collection of MAC address for MAB is not supported . You can use sticky mac for this and collect the mac address from configuration

But if you have more endpoints then you better chose to profile them with probes like DNS , DHCP , Radius etc .Using private VLANs for guest access , I don’t think dynamic VLAN port configuration will work with ISE. I would need to do further research on it.

Ryan Wolfe · ‎04-15-2013

Hi again Tarek,

After poking around ISE a little more, I found a couple things that may suit your needs.

If you go to Administration -> Identity Management -> Endpoints you can manualy enter your endpoints that MAB will use for authentication. If you click "Import" you have two options: Import from file and Import from LDAP. If you import from a file, you can download a template, which I have attached. The following is the prompt for importing from LDAP, and, of course, requires an LDAP server to connect to.

Hopefully this can make things a bit easier for you,

Ryan