Lab Minutes Forum
Technical Discussion => Security => Topic started by: Unibog on September 19, 2013, 11:46:44 AM
-
Hi Everyone,
I'm wondering how you handle re-imaging desktops and running ISE on the network. Currently the helpdesk biggest beef with ISE on the network is they have to bring the PC back to their area to re-image a PC on a port that isn't running ISE.
Wondering if someone has built a MAB policy to handle corporate desktops before they are put on the domain and get all the GPO's.
Thanks
-
Here I think MAB is the way to go. For authentication MAB with identity sequence pointed to endpoint. While Authorization policy for MAB will be based on condition that meet with minimum requirements for the endpoint to have access to dns, dhcp and ports necessary to communicate with AD and GPO. After the machine is re-image and with possible reboot the dot1x can take over.
Hope this help a bit.
-
Agree with adecisco, without 802.1x enable, your only other option is MAB. You can temporarily add the PC MAC address to an Endpoint Group and create and Authorization policy to allow just enough access for the PC to be re-imaged. The problem I can see is the person who does the re-image probably does not have access to ISE to add the MAC address so it might take coordination between the two parties.
-
Thanks for the answer guys. When I come up with a solution I'll post it here as I think a lot of people run into this.