Cisco ISE – Basic 802.1x With Windows Part Two – Configuring 802.1x Policies


KB ID 0001075 Dtd 10/06/15


Back in Part One, we joined Cisco ISE to Active Directory, now we we will take the built in ISE policies and change them. This will allow our clients to authenticate, with the correct protocols.


1. By default ISE will use pretty much any available protocol, we are going to use PEAP, although I’m also going to allow EAPTLS (it’s more secure and if I start rolling out certificates I’ve already got it available). Policy > Policy Elements > Results > Authentication > Allowed Protocols > Add > Give the protocol set a name > Allow EAPTLS and PEAP.

ISE 802.1x - Protocols

2. Policy > Authentication > There will be three built in, one for MAB and one for 802.1x, and a ‘catch all’ rule at the end. Edit the MAB rule.

ISE 802.1x - Authentication

3. Click the cross next to ‘Internal Endpoints’.

ISE 802.1x - MAB Authentication

4. Change the options, (top to bottom) to; Continue, Continue, and Drop.

ISE 802.1x - MAB Settings

5. Now edit the Dot1x policy.

ISE 802.1x - Policy Settings

6. Set the identity source to the Active Directory you configured in part one. Ensure the options are set (top to bottom) to; Reject, Reject, and drop.

ISE 802.1x - AD Settings

7. Finally change the ‘Allowed Protocol’ to the set you created in step 1. Then click ‘Save’.

ISE 802.1x - Authentication PEAP

Related Articles, References, Credits, or External Links


Author: Migrated

Share This Post On