NAD config for 802.1x/MAB with ISE

babalao · ‎04-25-2024

Hello,

I have seen in several places this commands as best practice.

Are they still needed/helpful ?

-epm logging
-logging host <ISE_IP_address_x> transport udp port 20514
-epm access-control open or access-session acl default passthrough

-device classifier

thank you

regards

Arne Bier · ‎04-25-2024

Hello

-epm logging

Not required - legacy troubleshooting thing for very early ISE releases.

-logging host <ISE_IP_address_x> transport udp port 20514

Nope - that was a very early ISE requirement - but ISE will not enrich its Live Logs with the SYSLOGs of Network Devices.

-epm access-control open or access-session acl default passthrough

Not required - legacy troubleshooting thing for very early ISE releases.

-device classifier

Nope - You only need the IOS Device-Sensor these days. IOS Device Classifier is a handy mechanism to decode the MAC OUI Prefixes into something more human readable. But it's not needed for NAC or for ISE.

There is an old thread that explains some of the history too.

babalao · ‎04-26-2024

Hello,

thanks for the reply.

Is there a current switch config guide for best practices by Cisco?

Thank you.

Aref Alsouqi · ‎04-26-2024

I would recommend these two links to start with:

Switch Configuration for ISE dot1x — Networking fun (network-node.com)

Cisco ISE NAD Configuration Templates – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)