cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
496
Views
1
Helpful
3
Replies

ISE flow for different scenarios

saghisha
Cisco Employee
Cisco Employee

Dear Community,

We are working on a design for ISE for one of the banks. They've requested the below information to be provided:

How ISE functionalities (with traffic flow) work with

1. Using Dot1x


     a. Static IP addressing.

     b. DHCP IP addressing.


2. Without using Dot1x.

     a. Static IP Addressing.

     b. DHCP IP Addressing.


3. What are the limitations using static IPs and What are the advantages of using DHCP instead of Static Ips.

The ISE functionalities they are looking for are:

o Profiling.

o Visibility.

o Compliance/ Posture check.

o Access Control / Authentication.

o Mobility, Guest Access, 3rd party access.


Can someone help us building the flow if we don't have any ready made ones ?


Regards,

Samer

1 Accepted Solution

Accepted Solutions

There are many resources on training page but not exactly clear what you are looking for in terms of "flows".    Although a bit dated, I posted a collection of auth flows for various features which I compiled a while ago.  Maybe this is what you are looking for: ISE Auth-Feature Flows_v1.pdf

View solution in original post

3 Replies 3

Craig Hyps
Level 10
Level 10

ISE can work with static or DHCP-assigned addresses. including all features mentioned.

The limitation of static IP is that you limit profiling as there is data in the DHCP request which can be very useful in profiling endpoints, but it is not the only source of profile data.  It is generally recommended to enable IP Device Tracking feature on Cisco switches to facilitate the learning of IP addresses of connected endpoints.  IP address can be communicated to ISE via DHCP, but also via SNMP and RADIUS.

The Community forums are particularly useful at answering specific questions, but not for designing networks.  I would reach out to Cisco or Partner SE for general design assistance. There are also many resources on general ISE operation with the various features noted above which may help describe general RADIUS flows for 802.1X, MAB, and Web Authentication.

Regards,
Craig

Thank you Craig for the information provided. Can you please share the resources were we mention the flows ?

for the static IP, how are we doing the CoA ? As changing the vlan will not be possible with static IP, should it be based on dACLs (assuming SGT is not supported)

There are many resources on training page but not exactly clear what you are looking for in terms of "flows".    Although a bit dated, I posted a collection of auth flows for various features which I compiled a while ago.  Maybe this is what you are looking for: ISE Auth-Feature Flows_v1.pdf

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: