My previous post “Python and ISE Monitor Mode” was about how to collect access-session information from the switch and use it for endpoint verification. Specifically for MAB-only devices – add in the proper Endpoint Group in the Cisco ISE. The result of the script was the file with “failed” devices: With this info, we had to log in to the ISE...
There are several ways to run ISE (wired) in monitor mode and AuthZ results: dACL, another VLAN, etc. It is always a good idea 🙂 to run ISE in monitor mode first to verify everything is working and then pull the trigger and change it to the production and actually enforce the policy. What We Need and What We Want Cisco...
It is not about range feature:) After my post about how to get into the switch with “not sure” credentials, let’s assume you fixed access and configured devices with TACACS and SSH. It’s time to drop the interface-level config for ISE NAC (as an example) to all user ports, servers/wireless/trunk must be excluded. With proper segmentation using VLANs, we should have...
I like the Cisco ISE GUI interface since 2.4, it’s pretty easy, maybe too many tabs and menus, but once you get the idea – you are good to go. I had a task of ISE migration – from one to another. We had set up 2 ISE deployments in parallel. The idea to keep everything working on ISE#1 while we...
Several times, I run into the question if there is an option to “automatically” change the guest HotSpot access code at a given interval (lets say daily) and I came up with the following solution: ISE API + Python + Task Scheduler Steps: Enable API on ISE Create Python Script Configure Task Scheduler Enable the ERS APIs The ERS APIs are...
Here is how I usually configure NEW-Guest-Endpoints purge policy and options we have. Administration > identity Management > Settings > Endpoint Purge ElapsedDays—Number of days since the object is created. For every day purge: “Elapsed Days less than 1“: This should work for brand new endpoints, but what if you implement this purge rule after ISE has already learned the MAC...
Every ISE deployment project includes this question from the client: What if dot1x is enabled on the supplicant and not on the NAD and vice verse? Supplicant – Configured, NAD – Not Configured:If 802.1X is not enabled or supported on the network access device, any EAPOL frames from the client are dropped. If the client does not receive an EAP-request/identity frame...
Trying to update Posture got the following error message: “Remote address is not accessible. Please make sure update feed url, proxy address and proxy port are properly configured”. Solution:Check cisco.com certificate and add intermediate certificate to the ISE trusted store:
Recent Comments