Welcome to the Official Cisco ISE RU-vid Channel. Cisco ISE is an All-in-One solution that helps define and enforce policy across Wired, Wireless & VPN Networks.
Learn more: www.cisco.com/go/ise
Get answers to your ISE questions by visiting the customer community @ cs.co/ise-community
Follow Us On Twitter: @CiscoISE
Subscribe to Cisco ISE's RU-vid channel: ru-vid.com
Could you please share the content of the PowerShell script you used for the Domain Join condition? Also, what is ISE looking for from the executing that script? How did ISE determined that the endpoint satisfied the Domain Join requirement?
I have a question about the EAP-TLS method using the user certificate . how that certificate is generated ? does it manually add to device or it automatically push ? Anyone have idea for that?
Thanks. Can you also create a video where you show how to output logs to elasticsearch / openobserve? Should be relatively easy since ISE already uses Elastic?
Subscribed! I'll check out your videos. I've recently been given a project to implement NAC with cert auth using ISE as the authentication server and I don't know anything about ISE. I hope I don't blow up my whole environment. Trying to learn everything I can so I am successful. Thank you for investing your time into this video to share with us amateurs who are just trying not to take everything down.
I have been hunting for this for three days straight, gone through a lot of headache especially on the redirect and dACL. Most tutorials seem to point back to Airspace ACLs,, will be trying out this method. This should work. Thank you so so much.
Thank you, very helpful! Suppose you're configuring a group of read-only users and only allowing show commands, not allowing configure terminal, should it matter whether aaa authorization config-commands is in place since they can't access global config mode anyway?
So new to this never really ran into this software before but have used cisco all my career, and had a juno router early in my IT career. So got any tips or tricks for why this is recommended / needed?
No... ACS has been unsupported for many years now. See cs.co/acstoise for the basic process but you are probably better off doing a complete policy re-write fresh in ISE rather than converting from your old ACS to ISE then doing multiple interim upgrades of ISE at this point.
I have customers who are using ISE with a PSK, and now I would like to have them use 802.1x with EAP,. What would be the first things that I need to do???
Create a separate SSID that only allows 802.1X with EAP and configure a policy in ISE that authenticates those users against your Active Directory or other Identity Store. See Securing Cisco Catalyst Wireless with ISE using mPSK / iPSK / 802.1X @ ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-1JREdDCRH3c.html or Secure Cisco Meraki Wireless with ISE @ ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-w3bLEI6dUIo.html
@33:13 where discussing using environment variables. Wouldn't this be the responsibility of Cisco ISE Ansible modules to support looking where creds are and not dependent on the version of ISE you are running?
Hey Thomas, not sure if you'll see this, but I enjoyed the presentation. Well done! As an added benefit, I got a good laugh on some of the things that didn't go right! :) Thank you.
Great presentation, 1 question though. Does it mean ISE is not a suitable solution for offshore environments with latency being more than 300 milisec as you mentioned?
By "offshore", I assume you mean boats. Yes, naval and cruise ships have isolated ISE deployments because their satellite links are not fast enough. This is explicitly covered @ 55:55 Multiple ISE Deployments
@@CiscoISE Thanks for your reply. A follow up question, lets say you have 50+ ships each with their own ISE deployments, how do you maintain all that from shore?
Are there any validated design guides for this yet? Particularly demonstrating best practices in having ISE nodes behind an Azure Load Balancer (with all it's limitations).
Is it possible we do "Dynamic VLAN assigment" for WIndows 10 devices Managed by Intune ? example : HR ppl login to onpremies wired LAN and get assigned to VLAN 10 only . similarly do segmentation based on Azure AD groups .
yeah, just use the intune connector (mdm) it works fine :) (just a mac address lookup of the device) so MAB 2nd. if you do Azure EAP-TEAP, you can do Azure group membership look up on group. - so 802.1x.