03-28-2024 08:14 AM
Hi,
Our network only consists of Meraki products and now we are looking at the possibility of implementing 802.1X on wired and using Cisco ISE for that.
Our business is geographically very spread out and we have both large and small branches. Some small branches only have an MX firewall and MR APs so we have a challenge with applying Access policy on MX ports (Not possible in Meraki) unlike an MS switch.
What we want to implement on MX FW ports is Failed Auth VLAN on the devices that fail to authenticate (eg new Windows Autopilot devices). Can we create such a policy in ISE that applies on Failed Auth devices to end up on e.g. VLAN15?
I have set up ISE in a test environment and also one test branch on Meraki network. Some simple rules for testing 802.1x are set up. Devices that can authenticate end up right. Now I want to solve those who can't
I've been looking for useful info but so far I haven't found anything that can help me.
03-28-2024 08:20 AM
what you see the Live Logs on ISE ? (what ISE version ?)
have you look at the guide below :
04-01-2024 04:17 AM - edited 04-01-2024 04:17 AM
For that use-case you need an MS. Dynamic VLAN assignment for MX ports is not possible.
04-02-2024 03:05 AM
Hi,
When we asked our Cisco account manager, we got the answer that it was possible via ISE. Now you are telling me that it is not possible :).
04-02-2024 03:36 AM
You can authenticate the device on the MX ports; 802.1X and MAB are supported. However, the MX will ignore the VLAN that the ISE sends. The MX receives the VLAN ID, which is visible in the event log, but it doesn't act on it—one of the many restrictions of the MX.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide