Out of the frying pan and into the fire as they say. My new project that landed into my lap is to either enable a full blown NAC (overkill) or dot1x on our wired networks. No problem, I did dot1x 11 years ago, this is going to be cake!
Except it's not. Then everything was Cisco, now it's not.
So here's the challenge - or two specific challenges. Polycom phones and wireless AP's. Desk phones are the Polycom VVX series but a good portion of them have a PC daisy chained to them. AP's are all Meraki. Both support dot1x but the problem is... trunking. Right now we're trunking on pretty much every port as the voice VLAN is tagged on the phone and the PC's is daisy chained on the access VLAN. For the AP's they live on the management VLAN and all of the SSIDs are tagged to their appropriate VLAN.
Switches are a mix of Cisco SG500 (ugh), 2960-X and 3850's.
My only thoughts right now are no more daisy chaining PC's to the phones, as the phones do support dot1x and to file the AP's into the acceptable risk category as we can't restrict them to one non-Corp VLAN.
Anyone else run into this? From all I'm reading ISE wouldn't solve anything for me for this particular use case as it's just frontending RADIUS and basically doing dot1x for me. I could definitely be missing something there, however.
No comments:
Post a Comment