With randomized MAC addresses becoming more of the norm for mobile devices, it’s time to think about how you handle guest access. The main configuration I’ve seen is authenticating the connection, adding the MAC address to GuestEndpoints, and then allowing future authentications for X amount of days based on that MAC address. Obviously, that’s about…
Authenticate user and machine certificates at the same time (EAP chaining) without using the AnyConnect NAM.
Sending authentications to different RADIUS servers/deployments has been pretty easy for wireless controllers for a long time now. Configure the RADIUS servers and assign them per SSID/WLAN. This wasn’t always possible for wired users on the same switch. With IBNS 2.0, we can now utilize policy maps to configure each port to send the authentication to a different RADIUS server deployment.
Using the iPSK Manager for Cisco ISE for provisioning wireless BYOD and IoT device access.
Configuring Cisco ISE and Meraki MX VPN for client authentications.
Taking a look at the discovery host and call home list settings in the AnyConnect ISE posture module configuration.
Instead of using a Network Access Users account, we are going to create guest accounts via the sponsor portal that are allowed to authenticate using 802.1x.
It’s a scenario I’ve seen pretty often. You try to log into the CLI of an ISE node (SSH or console) with the admin account and the login fails. You verify that the password is correct. The problem is that you’ve been locked out due to too many failed logins. Unfortunately, the only solution you…
After a long delay, I finally finished configuring and testing a new IBNS 2.0 template. A link can be found on my NAD template page. There aren’t a lot of changes between this template and my original C3PL template.
Redirecting HTTPS requests for guest or posturing causes the browser to display certificate errors. Stop redirecting HTTPS!