https://ciscolicense.com/lic/cat/security/ise/

ISE upgrade 2.7

Rest MNT ISE

Palo Alto integration

IBNS 2.0

https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2015/pdf/BRKSEC-2691.pdf

20140122-techupdate-part-3.pdf

NEAT with Interface Templates

ise_neat-w-int-template.pdf

https://community.cisco.com/kxiwq67737/attachments/kxiwq67737/4561-docs-security/5607/1/ise_neat-w-int-template.pdf

https://community.cisco.com/t5/network-access-control/ibns-2-0-dynamic-interface-templace-not-applied-correctly-unless/td-p/3691265

Macro port config

AI endpoints Cisco ISE

Case study Combating MAC address spoofing in access networks

ise-20-profiling

c3pl

Triggered NetFlow — A Trick of the Trade

ISE priority

https://community.cisco.com/t5/network-access-control/dot1x-mab-priority-and-order/td-p/3515280

In our environment

order: mab dot1x

priority: dot1x mab

This made sense in our environment as we wanted to accommodate MAB devices quickly and not make them wait for dot1x timeout. Using the priority allows for dot1x to overrule the MAB process if it sees EAPoL traffic. This assists with quick connection time as well for dot1x nodes.

Issues we faced was that dot1x supplicants could not re-authenticate properly and send EoPLan packet to restart dot1x process. This occurred on Windows, MAC, native as well as AnyConnect supplicants. Only way we found at the time to resolve was to either change order to dot1x mab OR turn off re-auth.

We just recently modified one of our AuthZ profiles to use cisco av-pair = termination-action-modifier=1 .

This will have ISE instruct the switch to re-use the last successful method wether it was dot1x or mab for that session.

This so far has resolved these struggles. We are continuing to test