Hello!
about profiling in ISE,I have seen in several tutorials that it is recommended to put a policy with an authorization profile (lets call it PROFILING) before the default bottom policy one named "Default".
This PROFILING profile would have a dAC...
Hello,
I almost always see this command as best practice authentication order dot1x mab , but sometimes I see this as best practice authentication order mab dot1x.
The priority is always this: authentication priority dot1x mab
-when I have PC (dot1x)...
Hello,
to profile devices via DHCP , is it enough to use the device-sensor config for it, or I still need DHCP relay config to forward DHCP packets to ISE?
device-sensor alone ? or device-sensor + dhcp relay (ip helper-address)
Thank you.
Regards
Hello,
I have seen in several places this commands as best practice.
Are they still needed/helpful ?
-epm logging-logging host <ISE_IP_address_x> transport udp port 20514-epm access-control open or access-session acl default passthrough
-device class...
Hello!
I have this doubt.
If a network uses 802.1x , with host-mode multi-domain for example(only allowing one MAC for DATA and one MAC for VOICE).
Is it worth it (I mean adds security),enabling the following?
-Port Security ? - My answer would be no...
Hello,
thank you for your great reply.
So I understand that is a common/good practice to do this to help profiling.
The dACL to allow only DHCP,SNMP would be like this:??
permit udp any eq bootpc any eq bootps ...
Hello,
yesterday I tried it (with 2 2960x) and in both cases I only get DHCP attributes of the endpoint if I put the helper-address. Device sensor did not get info. I shut/no shut the port several times to make DHCP happen and nothing... maybe device...
Thank yor the replies.
I am going to configure this as device-sensor for dhcp:
device-sensor filter-list dhcp list ISE-dhcpoption name host-nameoption name requested-addressoption name parameter-request-listoption name class-identifieroption name cli...
Hello,
thank you for the replies.
DHCP snooping would be needed right? Because it guards againts other attack?
So if I have dot1x , is DHCP snooping needed or not? what do you think?
Thank you!
Regards.
