3750-X Dot1x for wired switch ports with ISE 1.2 doing eap-tls
I currently have an authentication and authorization policy in ISE to allow machines that authenticate successfully with machine certificates to have full access. If they fail, then they are denied. And this works correctly. However, the customer does not want to deny them access if they fail, but instead he would like the machines that fail authentication to have access only to the Internet. I'm looking for some suggestions on what would be the best way to do this from a policy standpoint? Also, this would be for devices that are IT devices, or part of the organization, as well as for devices that aren't, for example for contractors or guest and may or may not have wired dot1x services enabled on their laptop that they will be plugging in. Any help is appreciated.
Hello. I can think of two solutions to your requirement:
#1 (Preferred): Configure CWA (Central Web Authentication) to be your last method of authentication/authorization. That way any devices that fail both dot1x and mab would be send to the guest/web portal hosted by ISE. There users can login with either their AD credentials and/or their guest credentials. That way you can actually provide better/more access to AD type users vs true guests
#2 (Less preferred): You can use the following command to authorize users/devices that fail dot1x to a "Guest/Internet" VLAN. Keep in mind though that if you use that then there is no "next method" so you cannot utilize mab:
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...