Cisco Cisco Catalyst 2960X-48FPS-L Switch White Paper
© 2015 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information
Page 18 of 19
White Paper
Conclusion
The use cases exercised in Cisco lab provides a base understanding on ISE solution
capabilities. This effort reflects Cisco IOS release 3.6.3 (15.2(2)E3) with ISE 1.3 patch 3.
Some key observations and recommendations:
capabilities. This effort reflects Cisco IOS release 3.6.3 (15.2(2)E3) with ISE 1.3 patch 3.
Some key observations and recommendations:
Dot1X support requires an authentication server such as ISE. Dot1X authentication
does not work unless the network access switch can route packets to the configured
ISE server. In closed mode, until a client is authenticated, only Extensible
Authentication Protocol over LAN (EAPOL) traffic (and/or CDP if enabled) is allowed
through the port to which the client is connected. After authentication succeeds,
normal traffic can pass through the port.
ISE server. In closed mode, until a client is authenticated, only Extensible
Authentication Protocol over LAN (EAPOL) traffic (and/or CDP if enabled) is allowed
through the port to which the client is connected. After authentication succeeds,
normal traffic can pass through the port.
It is recommended to use downloadable ACL (DACL) instead of static ACLs on
the switch. In a small branch converged access design it is easier to apply uniform
access policy from a centralized ISE policy server rather than configuring on every
access switch in the network. Changes to the access list control entries only have to
be configured within the Cisco ISE server versus having to touch all campus
switches.
access policy from a centralized ISE policy server rather than configuring on every
access switch in the network. Changes to the access list control entries only have to
be configured within the Cisco ISE server versus having to touch all campus
switches.
It is recommended to restrict dynamic ACLs (DACL) to less than 64 ACEs per
DACL so that it gives maximum compatibility across different switching platforms,
configurations, network topologies and ISE servers. While it might be possible to
achieve stable configuration with greater than 64 ACEs in some cases, the
recommendation of 64 ACEs is made such that the ACL is compatible in a majority
of scenarios.
configurations, network topologies and ISE servers. While it might be possible to
achieve stable configuration with greater than 64 ACEs in some cases, the
recommendation of 64 ACEs is made such that the ACL is compatible in a majority
of scenarios.
It is recommended to use Centralized Web Authentication (CWA) with the ISE
whenever possible. There are a few scenarios where LWA is preferred or the only
option. For CWA or LWA process to work, a client needs to be able to obtain the: IP
address; Default route; DNS server. All of these can be provided with DHCP or the
local configuration. The DNS resolution needs to work in order for the CWA or
LWA to work.
option. For CWA or LWA process to work, a client needs to be able to obtain the: IP
address; Default route; DNS server. All of these can be provided with DHCP or the
local configuration. The DNS resolution needs to work in order for the CWA or
LWA to work.
For client https traffic to be intercepted and redirection to work, HTTP(S) needs to be
enabled on the Cat3850 switch.
Permit/Deny statements in the Redirect ACL carry different meaning i.e. For redirect
ACL,
– ‘permit’ means what packets are punted to CPU for processing i.e.
essentially allowing for redirection, ‘deny’ means what packets are forwarded
through hardware but not subjected to redirection, ‘rest’ of the packets are dropped.
through hardware but not subjected to redirection, ‘rest’ of the packets are dropped.
DNS server resolution is mandatory for url-redirection to work for Apple iOS devices.
In certain endpoints such as iOS devices, there is no need for Supplicant
Provisioning Wizard (SPW) package because the native operating system is used to
configure the Dot1X settings.
configure the Dot1X settings.
It is important to note, for Android devices the user is required to download the
software (SPW) from Google's Play Store, since it cannot be distributed by ISE.