OK .. I have another odd question. How does one handle the need for a PC having a static IP address?

Senario - Network admin PCs are statically set so they can have remote device security set so they only their network can access devices.

With DHCP I can use a policy that checks to make sure they are in the admin AD group and their devices are "corporate assets". With static, if they unplug their corporate asset and plug in say their laptop it gets an IP address in the same address space. They then have access to at least all other admin PCs in the address space.

Suggestions???

brent

Then maybe I have something configured wrong or missed a concept.

There is a VLAN configured on the switch and the PC normally gets an IP address from that VLAN. This is then used in the authentication process. In the case of the static devices this VLAN has to match the static IP address so once again it can participate in the authentication process. If the user unplugs their static device and plugs in their personal device they get a DHCP IP address from that same VLAN. All authentication fails and the user ends up with the web auth policy as they system sees them as a guest. The user can still ping other devices in that VLAN because of the DHCP address on that VLAN.

Thinking back through the whole process, I need to go back and probably separate web auth processes for both wired and wireless? This is not an issue with wireless as the VLAN used only has access to the internet and ISE. Now that wired is there I am lumping those VLANs into the mix and have the bleed through to other devices on the same VLAN.

I am now thinking I actually need is an ISE dedicated VLAN that everything starts in and then once authenticated moved to the appropriate new VLAN for access to network resources. This would allow machine access for windows to do what it needs to do before the user actually signs on but for some reason the transfer from this to user authentication is not working. 

Brent

Hi,

No your question is not odd and is very realistic!!!

As you said the scenario is the laptop of an admin lets say that travels inside your company and needs a dedicated IP address to follow it in order to have access to a DMZ 

Well the answer is YES and NO:)  if i remember this could be made if you play with the attributes assign lets say on a authz profile apart from vlan and dACL  Radius:Framed-IP-Address the IP that you wish and then do the same on the AD on the user in the description field again the same IP address.
It never worked for me and i searched very much that matter.
 Well what i know is that this feature will present on version 2.0 this autumn