For those that have travelled down the path of ISE, is it reliable to put the all switch ports into a guest vlan and rely on the NAM to change that of corporate users? We will be using the NAM any connect supplicant for corporate users, so they should automatically be changed into the corporate vlan on successful authentication. Is this correct and is this reliable? Testing now with all ports on the corporate vlan has guests still accessing the corporate vlan initially before they are changed by the java applet upon registering as a guest user. Thanks
ISE uses 802.1x for authentication and this method is used by many company's so i would suggest do the lab deployment and test the solution before production deployment and Dynamic ACL/VLAN are a better and easy way to control the users
From a security point I can't say that I like guests still to be able to plug in and if the ports are preconfigured for the corporate vlan, then guests being able to sniff off traffic. Currently in my lab I have this setup and rely on the java applet to change the guests PC to the guest vlan which works but isn't great
Whilst I will be changing the default ports to the guest vlan and testing, have people had issues with the change of vlan for the any connect supplicant NAM? I'd love to hear if by default if others have the ports remain in a non corporate vlan?
If you are using "Closed Mode" then only EAPoL (802.1x) traffic is allowed to traverse that port until authenticaiton succeeds. If authentication fails then you can set the port to be dropped into a guest VLAN with Internet access only. You could also setup CWA (Central Web Auth) so if authenticaiton fails then the the user will be redirected to ISE's guest portal for CWA authentication.
Sorry all, I don't think I'm making myself very clear. Say our corporate users are on vlan 20, and our guests on wired and wireless networks are on vlan 40. With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40. The problem with the last method is, by default the guest connects on the corporate vlan so can actually use wire shark to sniff our corporate traffic on that vlan. I wanted to know if the change of vlan for corporate users with NAM is reliable? Ie when a corporate user authenticates, the change of vlan for the guest vlan, to the corporate vlan.
1. "With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40"
- I suppose the standard is to have the port in the regular/standard VLAN and only put failed authentications in the guest VLAN. However, with that being said, it really depends on what you are trying to accomplish, thus I suppose you could try doing it the other way around. I have never tested it nor deployed it that way so I highly recommend you try that in the lab
2. "I wanted to know if the change of vlan for corporate users with NAM is reliable?"
- Yes it is. Well at least for the most part Some "dumb" devices such as printers, badge readers, etc, might not know that a VLAN was changed, thus never request a new IP address. As a result, they get stuck in the guest VLAN. That is why I usually like to NOT use guest VLAN but send all failed authentications through the guest portal. There you can control who is guest and who is not via dACLs.
3. " We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things like PXE booting that needs to happen"
- So my guess is that the guest VLAN terminates on some interface such as FW DMZ. That interface usually has some ACL that blocks all RFC 1918 and permits everything else. If that is the case and you want to use Low-Impact mode, then you will need to grant the same access on the DMZ interface as the one granted in the Low-Impact mode ACL otherwise things will break
Can some one please provide the actual configuration for this ? I was trying to do the following and for some reason , the IP address is still getting from the corporate VLAN ( 46 ) rather from the Guest VLAN ( 54 ) for the guest PCs.
Can some one help me ? Thanks in advance..
interface GigabitEthernet4/0/39 description User Port switchport access vlan 46 switchport mode access switchport voice vlan 219 authentication event fail action next-method authentication event no-response action authorize vlan 54 authentication event server dead action reinitialize vlan 46 authentication event server alive action reinitialize authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server mab snmp trap mac-notification change added snmp trap mac-notification change removed no snmp trap link-status mls qos trust device cisco-phone mls qos trust dscp dot1x pae authenticator dot1x timeout quiet-period 3 dot1x timeout tx-period 15 no mdix auto storm-control broadcast level 20.00 spanning-tree portfast ip dhcp snooping limit rate 50
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :