Hi. I will soon be implementing wired NAC using ISE 2.2 patch 7 and 3850 edge switches. I've done this before but it's been several years. Rather than just repeating what I did previously I would like to follow what is currently considered best practice. Some things to consider are the best ways to:
1 Configure radius servers and groups, including timeouts for declaring them dead.
2. Fail-open interface and global configuration
3. Interface templates for dot1x config vs. putting the commands directly in the interface config
4. Pre-auth ACLs?
5. Should authorization profiles be service-templates?
6. device tracking config
etc.
Can anyone point me towards some good documentation for current best practices?
Thank you.