ACL - ISE

Hi team!

in ISE, can a static acl applied dynamically to a switch interface, i.e. If a port on a switch, which amounts to a printer is active, but no certificate is received on the ISE, then the ISE will push an ACL to the switch port to allow only traffic to the printer. This could bypass the authentication MAC workaround eventually.

Bravo!

Bellefroid

Please find attached.

Thank you for evaluating useful messages!

Tags: Cisco Security

Similar Questions

ISE node failure & pre authorization ACL

Hi all

I would like to know who, in what should be the best practice for the following configuration.

(1) access for devices/end users network if both nodes ISE become inaccessible? How we can ensure that full network access should be granted if the two ISE nodes become unavailable.

(2) what is the best practice for setting up pre authorization ACL if IP phones are also in the network?

Here is the configuration of the port and the pre authorization ACL which I use in my network,

Interface Fa0/1

switchport access vlan 30

switchport mode access

switchport voice vlan 40

IP access-group ISE-ACL-DEFAULT in

authentication event failure action allow vlan 30

action of death event authentication server allow vlan 30

living action of the server reset the authentication event

multi-domain of host-mode authentication

open authentication

authentication order dot1x mab

authentication priority dot1x mab

Auto control of the port of authentication

periodic authentication

Server to authenticate again authentication timer

protect the violation of authentication

MAB

dot1x EAP authenticator

dot1x tx-period 5

*****************************************

IP access-list extended by DEFAULT ACL - ISE

Note DHCP

allow udp any eq bootpc any eq bootps

Note DNS and domain controllers

IP enable any host 172.22.35.11

IP enable any host 172.22.35.12

Notice Ping

allow icmp a whole

Note PXE / TFTP

allow udp any any eq tftp

Note all refuse

deny ip any any newspaper

Thank you best regards &,.

Guelma

Hello

On question 1, since you use 'authentication mode host multi-domain' then "action dead event server authentication allows vlan X" is the way to go.

But if you use "authentication host-mode multi-auth" then you should use "action death event authentication server reset vlan X"

On question 2, it is not mandatory to use pre permission ACL. My current deployment have IP phones, since I use the profiling and CDP RADIUS then ISE can detect and allow the IP phones, even if the switch blocks all packets. "Why I didn't need pre-authorization ACL.

Please rate if this can help.

1.2 of the ISE and ACL with several ports

When you create a DACL for my groups I used the syntax "permit tcp any 192.168.20.0 0.0.0.255 eq 22 443" for one of my acl within the DACL and the validated syntax checking. When I pushed my groups too, it worked but I have heard that this type of port several ACL in ISE is not supported. Does anyone know if this is accurate?

You can implement several DACL to control access and the sound works perfectly with ISE

Note the useful messages *.

ISE Airespace WLC ACL problem

Hello

I have configured ISE and WLC for use with CWA guestportal but there is a problem with the CoA - he won't apply airespace alc after auth to guestportal.

1. on page authC, I configured a MAB wireless to continue if not found user and use an internal users as an identity store.

2. on page authZ I configured a WEBAUTH as a default rule with the following:

Access type = ACCESS_ACCEPT

Cisco-av-pair = url-redirect-acl = ACL-WEBAUTH-REDIRECT

Cisco-av-pair = redirect url =https://ip:port/guestportal/gateway? sessionId = SessionIdValue & action = cwa

3. I've also configured this ACL to WLC to allow

permit any - any icmp and dns

allow all-to-the-ise-8443

ise-to-any license

This part works very well because I could redirect to guestportal and use my guest connection & pw to allow myself. The guest account has been previously generated by portal sponsor and it works too.

4. on page authC, I use a dot1x wireless to use internal users

5. in the authZ page I use a "if internal users: Guest can leave COMMENTS" rule

6 rule PROMPT resembles the following:

Access type = ACCESS_ACCEPT

Airespace-ACL-Name = GUEST_INTERNET_ONLY

7. this ACL is configured on the WLC allowing all unless private networks (ISE is also permitted)

After authentication Portal comments, I see a success message and I was able to ping internet but I don't have web access. It looks like CoA and Airespace acl are not working and I continue to use my access ACL-WEBAUTH-REDIRECT-list and I see a strange error messages in newspapers WLC:

* apfReceiveTask: 17:32:27.317 12 Nov: % ENTRY_DONOT_EXIST-3-ACL: acl.c:369 cannot find an ACL by name.

I swear my ACL name spelling is correct and ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with counters more!

I have not one point what problem could be...

Any ideas?

P.S. see attach for authentication log Live

You can try "debug client" in the CLI WLC and try to connect with the customer. It you see if the WLC applies your ACL.

Looks like this for my license - all ACLs

* apfReceiveTask: 25 Oct 11:17:05.867: c8:bc:c8:13:4e:35 172.16.10.13 WEBAUTH_REQD (8) change IPv4 ACL 'none' (ACL ID 255) ===> 'PERMIT-ALL' (ACL ID 1)-(calling apf_policy.c:1762)

It must be near the bottom.

And then after all debug disable.

Another question, you can test internet but no web access, as well as the URL? Is DNS works after applying the last ACL?

On this line in the log:

* apfReceiveTask: 17:32:27.317 12 Nov: % ENTRY_DONOT_EXIST-3-ACL: acl.c:369 cannot find an ACL by name.

I get that with CWA to work so I don't know which is linked. (for my setup)

Concerning
Mikael

Sent by Cisco Support technique iPad App

Post edited by: Mikael Gustafsson

REQUIRED: ISE 1.1.3 Posture Setup and Config Switch (ACL, dACL)

Hello

anyone could please posture ISE configuration screenshot (and sanitation)

I need urgently a DACL and a redirect ACL who work at least in a laboratory of the model.

Political authentication and authorization is not necessary.

policies of posture and sanitation is not necessary.

The question is ACLs (I guess)

It must be a valid switch configuration file, with ACL (if necessary) an ethernet DOT1x port.

My IOS is 122.55 SE or 52 SE

Thank you in advance.

Best regards.

C.

ACL to redirect the URL on the access switch

access # conf taccess (config) #-access ip extended ACL-POSTURE-REDIRECT list

Access (config-ext-NaCl) # deny udp any any eq field

Access (config-ext-NaCl) # deny udp any host <> eq 8905

Access (config-ext-NaCl) # deny udp any host <> eq 8906

Access(config-ext-NaCl) # tcp refuse any host <> eq 8443

Access(config-ext-NaCl) # tcp refuse any host <> eq 8905

Access(config-ext-NaCl) # tcp refuse any host <> eq www

Access (NaCl-ext-config) # ip allow a whole

Access (config-ext-nacl

a DACL that restricts access to the network of endpoints that do not conform to posture.

Name

POSTURE_REMEDIATION

Description

Allow access to the posture and rehabilitation services and prohibits any access. General http and https for redirection only permits.

Content of the DACL

allow udp any any eq field

allow icmp a whole

allow any host tcp <> eq 8443

Ermit tcp any any eq 80

permit any any eq 443 tcp

allow any host tcp <> eq 8905

allow any host udp <> eq 8905

allow any host udp <> 1 eq 8906

allow any host tcp <> eq 80

ISE / IBNS 2.0 - open authentication

Anyone travelling IBNS 2.0, or everyone stick w / the legacy "authentication" of orders that have been available as forever?

We seek in IBNS 2.0 to take advantage of its critical ACL functionality that is not available in the type of inheritance auth - manager.

When I made a conversion of an existing style, legacy to the new style 2.0 on a 3850 IBNS, I can't tell which line is the equivalent of the command "open authentication".
Can someone please report it to me?

How can we make "open authentication" in the new style IBNS 2.0?
This is important for our phases of deployment of the MONITOR & LOW - IMPACT ISE.

===============

New style:

Subscriber control policy-map type POLICY_Gi1/0/21
event started the match-all session
10-class until the failure
10 authenticate using dot1x attempts 2 time try again 0 priority 10
first game event-one authentication failure
DOT1X_FAILED - until the failure of class 5
10. put end dot1x
20 authenticate using mab priority 20
class 10 AAA_SVR_DOWN_UNAUTHD_HOST - until the failure
10 activate service-model CRITICAL_AUTH_VLAN_Gi1/0/21
20 activate service-model DEFAULT_CRITICAL_VOICE_TEMPLATE
25 turn CRITICISM-ACCESS service models
30 allow
reauthentication 40 break
class 20 AAA_SVR_DOWN_AUTHD_HOST - until the failure
break 10 reauthentication
20 allow
DOT1X_NO_RESP - until the failure of class 30
10. put end dot1x
20 authenticate using mab priority 20
class 40 MAB_FAILED - until the failure
10 complete mab
20 40 authentication restart
class 60 still - until the failure
10. put end dot1x
20 terminate mab
authentication-restart 30 40
event agent found match-all
10-class until the failure
10 complete mab
20 authenticate using dot1x attempts 2 time try again 0 priority 10
AAA-available game - all of the event
class 10 IN_CRITICAL_AUTH - until the failure
clear-session 10
class 20 NOT_IN_CRITICAL_AUTH - until the failure
10 take a reauthentication
match-all successful authentication event
10-class until the failure
10 activate service-model DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
violation of correspondence event
10-class until the failure
10 restrict

================

The old:

interface GigabitEthernet1/0/21
TEST-ISE description
IP access-group ACL by DEFAULT in
authentication event fail following action method
action of death event authentication server allow vlan 1
action of death event authentication server allow voice
the host-mode multi-auth authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
authentication timer restart 40
restrict the authentication violation
MAB
added mac-SNMP trap notification change
deleted mac-SNMP trap notification change
dot1x EAP authenticator
dot1x tx-time 10

It seems that "open authentication" is now default and as such are not not in the new configuration of style.
Access-session closed

Example:

Device(config-if)# access-session closed
Prevents access preauthentication on this port.

The port is set to open access by default.
http://www.Cisco.com/en/us/docs/iOS-XML/iOS/San/configuration/XE-3SE/3850/San-Cntrl-pol.html

Authorization of comments in ise 2.0

Hi all

I'll install 2.0 ise in one of the corporate network that has routed many branch, I have a few questions about the guest user permission policy.

If authorization profile is configured with dynamic ACLs where I can give details of identification vlan for guest users consider id vlan for guest users is different for each branch? How guest users will obtain the IP address of rite VLAN?

Hello

If the VLAN is different on each location, you can make local switching AP instead of central switching within the WLC. This mode is called Flexconnect.

In combination with ISE and Flexconnect CWA, you a few resources available on Cisco's Web site.

I here copy a link to a step by step config:

http://www.Cisco.com/c/en/us/support/docs/security/identity-services-Eng...

Hope this answer your question.

PS: Please do not forget to rate and score as good response if this solves your problem

Dead with ISE server access

Hello
I´d would like to know how to give access to users when ISE is dead.
I m requesting because I m using pre authentication ACL, so even with the order of authentication server dead action events allow vlan XX access will be limited, will it not?

My pre authentication ACLs allow access only to ISE, DNS and DHCP requests.

Kind regards.

André-

I'm afraid that you don't have a lot of options here. I have encountered this problem before during my deployments. The problem is that the ISE is necessary in order to signal the switch to remove the pre authorization ACL using a DACL. However, since ISE is not available, the switch can allow endpoints to a VLAN, but not you need another method to remove the ACL of pre approval. In the past, I've accomplished this via one of the following:

1 script EEM that reconfigures the switch and sets the pre authorize "license ip any any" ACL (or remove the ACL of pre approval all together) when / if the ISE servers become unavailable. I thought that this required functionality of the IP Services, but by looking at the following doc looks like you could do with IP Base too. I guess you can give it a try and see what happens :)

http://www.Cisco.com/c/en/us/products/collateral/iOS-NX-OS-software/IOS-software-releases-12-2-special-early-deployments/product_bulletin_c25-614546.html

example of script EEM:

http://www.alcatron.NET/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.PDF

2. the second method requires a switch to converged access (3850, 3650). These switches can be configured with the profiles where the pre authorization ACL can be replaced by an ACL critical interruption of the ISE.

I hope this helps!

Thank you for evaluating useful messages!

ISE 2.0 domain domain not machines Auth problem

Hello

Anyone can suggest me for authorization policy of ISE 2.0 for computer in domain domain & no.

Requirement: Computer in domain to authenticate domain user id & password using the PEAP Protocol. but the machine not domain should not authenticating using domain credentials begging Windows.

I tried using the parameter user or computer and selecting the authorization (computers in the domain & domain users) policy

Thank you

Kamlesh

If you make a substitution VLAN on the invited guests? The reason why I ask is because I've never been able to get this feature works well. Instead, I always preferred to use DACLS (Switched invited) and Named-ACL (WLCs).

If you use this feature I suggest to increase the timers a little and see if it works.

For your question of license:

The license of Cisco ISE is counted as follows:
- A basic or advanced license is consumed based on the function that is used.
- An endpoint with multiple network connections can consume more than one license per MAC
address. For example, a laptop computer connected in wired and wireless at the same time. Licenses

for VPN connections are based on the IP address.
- Licenses are allocated on the simultaneous, active sessions. An active session is the one for which a
RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.

Note Sessions without activity of RADIUS are automatically purged from the list of Session Active each

5 days or if endpoint is deleted from the system.

To avoid service interruptions, ISE Cisco continues to provide services to the endpoints that exceed the license

right. Cisco ISE relies instead on RADIUS accounting functions to keep track of the simultaneous on endpoints

the network and generate alarms when the endpoint number exceeds the authorized amounts:
- 80% info
- 90% WARNING
- 100% critical
Thank you for evaluating useful messages!

ISE: in favour of the list DACL IPv6

Hello

Does anyone know if/when that ISE will be able to get IPv6 dynamic acl? I failed to find any information on this other than an old post here: https://supportforums.cisco.com/discussion/11795676/ise-support-ipv6-dyn...

Thank you

Phill Macey

It is not supported from the current 1.3 ISE.

I heard it is planned for a future release, but there is no date announced or committed for the moment.

If your are in collaboration with a partner or a Cisco account manager, don't forget to officially request if this is important to you. Client application contributes to the training to the business case for prioritizing functions.

Cisco ISE (Identity Services Engine) - seeds SGA device?

Hello

We have a LAB with Cisco ISE, certificates and list DACL. Everything works fine with the 1.1.1 version but now we want to use the functionality of CMS - SGT instead of the ACL and we found that we need seed for this device and the only device that takes in charge the Nexus 7000 is. Is this true? What is the only way that we can use LMS - SGT? Are there plans that any other device will be used to seed device?

BR, Marko

The device of seed set as first device that communicates with the ISE. It must be a link.

http://www.Cisco.com/en/us/docs/solutions/enterprise/security/TrustSec_2.0/trustsec_2.0_dig.PDF

In addition the Nexus needs a license of Advanced Services installed in order to support the Trustsec.

I can't comment on any future plans.

Domain name of ISE, certificates and portal comments

Hello world

We have a deployment ISE using our internal domain for its FULL domain name (example: ise01.private.local). Now, we want to use for authentication of access as a guest and have noticed that the default redirect URL uses the FULL of the ISE Server domain name.

It works very well for our business machines that we have our own generated certificates and internal certification authority. As we don't want a certificate, that the errors that occur for our clients, we need to use a public domain FULL name.

Are we better off by changing the domain name used by the servers of the ISE, or is it possible to change the redirect URL to use a custom domain?

I've heard suggestions that change the domain name is not supported, but I can't find another way.

Thank you
Mark

Mark,

You already have a public domain FULL name pointing to your ISE? If so, let's assume that you authenticate you if you use a CWA. First creat a new profile authorization, under common tasks, select redirect Web (CWA, DRW, MDM, DK, RPC), choose the authentication method (in this case, CWA) and set the ACL to use. Just below, select the name of the static host/IP and enter the COMPLETE public domain name that points to your ISE.

From there, you can create a permission policy to reference the profile that you just created.

Please rate useful messages and mark this question as answered if, in fact, does that answer your question. Otherwise, feel free to post additional questions.

Charles Moreton

ISE pre authorise access-list

Dear,

I created a list of access-pre approval for cisco ise 1.4, depending on the Switch Configuration required to Support Cisco ISE 2.0 functions, properly profiled Cisco IP phone and download a good list of permit ip access IE, but when I make a PSTN call I hear a one-way audio, when I see the switch connects it show me that RTP has been blocked by default access-list , I have a question when my DACL list is downloaded correctly then why the default ACL is interrupting the RTP, also I see the port number 2000 & 2443 is blocked by default access-list by phone losses its connection to the server, which are used to to the CUCM keepalive.

Something I'm missing?

Thank you

Which is not the same thing?

Try using the 'details' after the command

ISE 2.0 - assignment of the DACLS of Active Directory

Hello

Maybe someone can help me with this:

I would attribute a DACL of an attribute I get from the user being allowed AD object.

Thus, for example, I have set up 'ACL test' to ISE, the same name is assigned to a user of the AD.

Now, I want to assign this ACL in an authorization profile with the value I get from the AD attribute.

Under authorization profiles, I can't assign one AD the 'name of the DACL"attribute in common tasks.

Does anyone have an idea how to do this with ISE 2.0?

Thank you

Joerg

I doubt that you can do this, you must use the AD attribute as a condition in authz rules and reconciliation so only with an authorization profile, which contains your setting DACL. This means of course you will need an article by different DACL you wan't to use.

ISE with WLC AND switches

Hello

We run 3xWLC controller with 800 AP using ISE 1.2 for authentication wireless 802. 1 x. I was looking in the config of the ISE and notice of 400 edge cheating only 2x2960s are configured with 802. 1 x (ISE RADIUS config) and SNMP and only 2 of the port is 2 ap tie with swtich remaining ports.and the 3XWLC in network devices.

I do not understand how an access point is to do this work (802.1 x) because it is location on different site and people are connecting to various different locations. ISE almost run/do 11 876 profiled ends.

version 12.2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ fokm$ lesIWAaceFFs.SpNdJi7t.
!
Test-RADIUS username password 7 07233544471A1C5445415F
AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
Group AAA authorization auth-proxy default RADIUS
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting system by default
!
!
!
!
AAA server RADIUS Dynamics-author
Client 10.178.5.152 server-key 7 151E1F040D392E
Client 10.178.5.153 server-key 7 060A1B29455D0C
!
AAA - the id of the joint session
switch 1 supply ws-c2960s-48 i/s-l
cooldown critical authentication 1000
!
!
IP dhcp snooping vlan 29,320,401
no ip dhcp snooping option information
IP dhcp snooping
no ip domain-lookup
analysis of IP device
!
logging of the EMP
!
Crypto pki trustpoint TP-self-signed-364377856
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 364377856
revocation checking no
rsakeypair TP-self-signed-364377856
!
!
TP-self-signed-364377856 crypto pki certificate chain
certificate self-signed 01
30820247 308201B 0 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 33363433 37373835 36301E17 393330 33303130 30303331 0D 6174652D
305A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3336 34333737
06092A 86 4886F70D 01010105 38353630 819F300D 00308189 02818100 0003818D
B09F8205 9DD44616 858B1F49 A27F94E4 9E9C3504 F56E18EB 6D1A1309 15C20A3D
31FCE168 5A8C610B 7F77E7FC D9AD3856 E4BABDD1 DFB28F54 6C24229D 97756ED4
975E2222 939CF878 48D7F894 618279CF 2F9C4AD5 4008AFBB 19733DDB 92BDF73E
B43E0071 C7DC51C6 B9A43C6A FF035C63 B53E26E2 C0522D40 3F850F0B 734DADED
02030100 01A 37130 03551 D 13 6F300F06 0101FF04 05300301 01FF301C 0603551D
11041530 13821150 5F494D2B 545F5374 61636B5F 322D312E 301F0603 551D 2304
18301680 1456F3D9 23759254 57BA0966 7C6C3A71 FFF07CE0 A2301D06 03551D0E
04160414 56F3D923 75925457 BA09667C 6C3A71FF F07CE0A2 2A 864886 300 D 0609
F70D0101 5B1CA52E B38AC231 E45F3AF6 12764661 04050003 81810062 819657B 5
F08D258E EAA2762F F90FBB7F F6E3AA8C 3EE98DB0 842E82E2 F88E60E0 80C1CF27
DE9D9AC7 04649AEA 51C49BD7 7BCE9C5A 67093FB5 09495971 926542 4 5A7C7022
8D9A8C2B 794D99B2 3B92B936 526216E0 79 D 80425 12B 33847 30F9A3F6 9CAC4D3C
7C96AA15 CC4CC1C0 5FAD3B
quit smoking
control-dot1x system-auth
dot1x critical eapol
!
pvst spanning-tree mode
spanning tree extend id-system
No vlan spanning tree 294-312,314-319,321-335,337-345,400,480,484-493,499,950
!
!
!
errdisable recovery cause Uni-directional
errdisable recovery cause bpduguard
errdisable recovery cause of security breach
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause FPS-config-incompatibility
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable cause of port-mode-failure recovery
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-AI-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery cause psp
!
internal allocation policy of VLAN ascendant
!
!
interface GigabitEthernet1/0/10
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/16
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/24
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

!
interface GigabitEthernet1/0/33
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/34
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/44
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

!
interface GigabitEthernet1/0/46
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/48
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/49
Description link GH
switchport trunk allowed vlan 1,2,320,350,351,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!

interface GigabitEthernet1/0/52
Description link CORE1
switchport trunk allowed vlan 1,2,29,277,278,314,320,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!
!
interface Vlan320
IP 10.178.61.5 255.255.255.128
no ip-cache cef route
no ip route cache
!
default IP gateway - 10.178.61.1
IP http server
IP http secure server
IP http secure-active-session-modules no
active session modules IP http no
!
!
Access IP extended ACL-AGENT-REDIRECT list
deny udp any any domain eq bootps
permit tcp any any eq www
permit any any eq 443 tcp
IP extended ACL-ALLOW access list
allow an ip
IP access-list extended by DEFAULT ACL
allow udp any eq bootpc any eq bootps
allow udp any any eq field
allow icmp a whole
allow any host 10.178.5.152 eq 8443 tcp
permit tcp any host 10.178.5.152 eq 8905
allow any host 10.178.5.152 eq 8905 udp
permit tcp any host 10.178.5.152 eq 8906
allow any host 10.178.5.152 eq 8906 udp
allow any host 10.178.5.152 eq 8909 tcp
allow any host 10.178.5.152 eq 8909 udp
allow any host 10.178.5.153 eq 8443 tcp
permit tcp any host 10.178.5.153 eq 8905
allow any host 10.178.5.153 eq 8905 udp
permit tcp any host 10.178.5.153 eq 8906
allow any host 10.178.5.153 eq 8906 udp
allow any host 10.178.5.153 eq 8909 tcp
allow any host 10.178.5.153 eq 8909 udp
refuse an entire ip
Access IP extended ACL-WEBAUTH-REDIRECT list
deny ip any host 10.178.5.152
deny ip any host 10.178.5.153
permit tcp any any eq www
permit any any eq 443 tcp

radius of the IP source-interface Vlan320
exploitation forest esm config
logging trap alerts
logging Source ip id
connection interface-source Vlan320
record 192.168.6.31
host 10.178.5.150 record transport udp port 20514
host 10.178.5.151 record transport udp port 20514
access-list 10 permit 10.178.5.117
access-list 10 permit 10.178.61.100
Server SNMP engineID local 800000090300000A8AF5F181
SNMP - server RO W143L355 community
w143l355 RW SNMP-server community
SNMP-Server RO community lthpublic
SNMP-Server RO community lthise
Server SNMP trap-source Vlan320
Server SNMP informed source-interface Vlan320
Server enable SNMP traps snmp authentication linkdown, linkup cold start
SNMP-Server enable traps cluster
config SNMP-server enable traps
entity of traps activate SNMP Server
Server enable SNMP traps ipsla
Server enable SNMP traps syslog
Server enable SNMP traps vtp
SNMP Server enable traps mac-notification change move threshold
Server SNMP enable traps belonging to a vlan
SNMP-server host 10.178.5.152 version 2 c lthise mac-notification
SNMP-server host 10.178.5.153 version 2 c lthise mac-notification
!
RADIUS attribute 6 sur-pour-login-auth server
Server RADIUS attribute 8 include-in-access-req
RADIUS attribute 25-application access server include
dead-criteria 5 tent 3 times RADIUS server
test the server RADIUS host 10.178.5.152 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 03084F030F1C24
test the server RADIUS host 10.178.5.153 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 141B060305172F
RADIUS vsa server send accounting
RADIUS vsa server send authentication

any help would be really appreciated.

I'm not sure that completely understand the question; But if LSE is only political wireless, then none of the wired switches need any configuration of ISE.

Access points tunnel all wireless traffic to the WLC on CAPWAP (unless you use FlexConnect). This is the configuration 802. 1 x on the WLC that implements policies defined in ISE.

Switches wired never need to act as an access network (n) device and so do not need to be defined in ISE unless or until you want to apply policies of ISE for wired devices...

ACL - ISE

Similar Questions

Maybe you are looking for