Hello all
Please I am looking for some guidance for my ISE project here.
I have had ISE v1.2.1 running in monitor mode for a while now. There are around 50 branch offices and 300 LAN switches in the deployment. I am authenticating domain workstations and thin clients (Wyse) using dot1x via internal CA issued certificates and all other endpoints by MAB allowing ISE to auto-populate the internal endpoints store. My PSNs are not AD-joined simply because there are several AD domains in the environment with no 2-way trust. Also there are no requirements at the moment for guest wired or WLAN. By and large, there have been no issues.
I am now looking to transition the deployment to low impact mode and enforce policies to allow only corporate assets on the wired LAN. I already have network device groups with devices classified according to their deployment stages. The transition will be on a site by site basis. My initial thoughts around doing this were:
A1. use the inbuilt ip phones and AP profiles and allow matching endpoints >> which has license implications
A2. build a whitelist with the dynamically built MAC addresses for other devices (printers and the likes)
A3. any workstations using MAB be denied access
My questions:
Q1. Is there a more elegant/dynamic way of achieving the objective of allowing only corporate assets, PCs and all, to join the network?
Q2. I know ISE will keep adding devices to the internal endpoints store as long as the RADIUS, DHCP probes are enabled on my PSNs. Does it make sense to still use the approach in A2 above?
Q3. Any other useful tips and practical insights from other people's real world experience.
Thanks
