Author Topic: ISE and Re-image Desktops (Read 13110 times)

Unibog · « **on:** September 19, 2013, 11:46:44 AM »

Hi Everyone,

I'm wondering how you handle re-imaging desktops and running ISE on the network. Currently the helpdesk biggest beef with ISE on the network is they have to bring the PC back to their area to re-image a PC on a port that isn't running ISE.

Wondering if someone has built a MAB policy to handle corporate desktops before they are put on the domain and get all the GPO's.

Thanks

adecisco · « **Reply #1 on:** September 19, 2013, 05:45:47 PM »

Here I think MAB is the way to go. For authentication MAB with identity sequence pointed to endpoint. While Authorization policy for MAB will be based on condition that meet with minimum requirements for the endpoint to have access to dns, dhcp and ports necessary to communicate with AD and GPO. After the machine is re-image and with possible reboot the dot1x can take over.

Hope this help a bit.

MC · « **Reply #2 on:** September 19, 2013, 09:35:52 PM »

Agree with adecisco, without 802.1x enable, your only other option is MAB. You can temporarily add the PC MAC address to an Endpoint Group and create and Authorization policy to allow just enough access for the PC to be re-imaged. The problem I can see is the person who does the re-image probably does not have access to ISE to add the MAC address so it might take coordination between the two parties.

Unibog · « **Reply #3 on:** September 20, 2013, 06:47:57 AM »

Thanks for the answer guys. When I come up with a solution I'll post it here as I think a lot of people run into this.

Search

User Info

Author Topic: ISE and Re-image Desktops (Read 13110 times)

Unibog

ISE and Re-image Desktops

adecisco

Re: ISE and Re-image Desktops

MC

Re: ISE and Re-image Desktops

Unibog

Re: ISE and Re-image Desktops