Hi all,
We currently have ISE running for 802.1x auth using certs deployed by Active directory to endpoints. We are using legacy authentication commands on our switches and want to switch over to IBNS 2.0 / C3PL commands for the added flexibility.
I've been testing this in a lab and have most of it working but am having an issue with 1 particular thing. I would like to have a fallback scenario where if a windows PC fails authentication using 802.1x due to a cert issue (which happens a lot) I would like for it to get a minimal access ACL which allows connectivity to AD and the certificate authority server as well as DHCP so that it can a) get an IP and b) allow our help desk to renew its cert or troubleshoot any other issue with it and then once everything is good that client can automatically re-authenticate using 802.1x and get full network access in the event of a success. Does anyone have any working config to achieve that? Any would be greatly appreciated.
No comments:
Post a Comment