Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3721
Views
0
Helpful
4
Replies

Cisco ISE Switch Template

sejelmohajj
Level 1
Level 1

‎09-27-2017 12:54 AM - edited ‎02-21-2020 10:34 AM

Guys, attached my Cisco ISE Switch Template, please let me know if I am missing anything.
2 people had this problem
Labels:
Preview file
3 KB
0 Helpful
4 Replies 4

Rahul Govindan
VIP Alumni
VIP Alumni

‎09-27-2017 06:12 AM

I would reference the following doc if you are not already using it:
https://communities.cisco.com/docs/DOC-68171
Just a quick run through and I noticed that "ip device tracking" was missing. If you need dACL, redirect URL etc, then this is essential. Also, I did not see any ACL's in the template. If you are using ACL's for port authorization , you might want to add it there.
0 Helpful

sejelmohajj
Level 1
Level 1
In response to Rahul Govindan

‎10-04-2017 01:09 AM

 help me to write Cisco Switch Port ISE Configuration using MAB for Cisco Access Points.

 

Regards 

0 Helpful

agrissimanis
Level 1
Level 1
In response to sejelmohajj

‎10-04-2017 03:31 AM - edited ‎10-04-2017 03:34 AM

The config for access points would depend on whether you are using APs in local mode or Flexconnect. Nothing specific is needed for APs in local mode (that is tunneling all client traffic to the WLC). On ISE, just use profiling or add the AP MAC address to one of the endpoint groups.

If the AP is running in Flexconnect mode (switching client traffic locally), one option is to use "authentication host-mode multi-host" interface config command. That will cause AP to authenticate, but the wireless client MAC addresses that appear on the same port later, would not be authenticated (they would already have been authenticated by the WLC in some form anyway).

For a full port config check the attachment of this post, that is a good example.

0 Helpful

agrissimanis
Level 1
Level 1

‎10-04-2017 03:10 AM

In terms of logging, I would say that you don't need the "epm logging" under normal operation, just if you are troubleshooting.

Also, you may find these three commands helpful (this causes switch not to log successful authentications, just failures):

no authentication logging verbose
no dot1x logging verbose
no mab logging verbose

0 Helpful
Customers Also Viewed These Support Documents