https://community.cisco.com/t5/network-access-control/ise-support-on-third-party-switch-doing-802-1x-authc-on/m-p/2237703#M136036 <HTML><HEAD></HEAD><BODY><DIV><P>Cool Jatin</P><P></P><P>First and foremost, thanks for the replies. </P><P></P><P>The third party LAN switch model mention is 3Com® Baseline Switch 2948-SFP Plus. After reviewing the user manual, it seems like a L2 LAN switch. </P><P></P><P>Acutally, my business requirement can be either:</P><P>a. optimum, the switch support FlexAuth (open mode, then evolve to low impact mode)</P><P>b. due to switch limitation capabilities, as long as it can do 802.1X authentication</P><P></P><P>after&nbsp; review the documentation, i still found out some of the configuration&nbsp; that look like unable to configure on the 3COM switch. </P><P></P><P>example</P><P>a. configure RADIUS setting</P><P>ip radius source-interface</P><P>radius-server attribute 6 on-for-login-auth</P><P>radius-server attribute 8 include-in-access-req</P><P>radius-server attribute 25 access-request include</P><P></P><P>b. identity setting on switch port, to support FlexAuth</P><P>mab</P><P>authentication host-mode multi-auth</P><P>authentication order</P><P></P><P>c. policy enforcement</P><P>radius-server-vsa send authenticaiton</P><P>radius-server-vsa send accounting</P><P></P><P>d. Change of Authorization (COA), the most crucial</P><P>aaa server radius dynamic-author </P><P></P><P>e. dACL apply to the port after authentication, based on authorization profile. </P><P></P><P>So, to hit the baseline, i guess it can do 802.1X authentication but not with FlexAuth feature. </P><P></P><P>For the C4507, thanks for the info. </P><P></P><P>million thanks</P><P></P><P>Noel</P></DIV></BODY></HTML> Sat, 08 Jun 2013 09:54:51 GMT yong khang NG 2013-06-08T09:54:51Z https://community.cisco.com/t5/network-access-control/ise-support-on-third-party-switch-doing-802-1x-authc-on/m-p/2237701#M136019 <DIV><P>Hi all, </P><P></P><P>Have few question on how ISE support on third party LAN switch, if the requirement is doing 802.1X based flexauth.</P><P></P><P>Refer to the diagram i attached; 01 topology.png</P><P></P><P>Concern&nbsp; 1: if the 3com switch with 802.1X feature, but still without the full&nbsp; feature to support FlexAuth, policy encforcement, DACL etc. In this kind&nbsp; of situation, will user still able to authenticate (using method&nbsp; PEAP-MSCHAP v2), but authorization just grant with permit any any?</P><P></P><P>Concern&nbsp; 2: In this case, can i assume i authenticated the 3com switch using&nbsp; MAB? But this will cause endpoint with no 802.1X, am i right?</P><P></P><P>Concern&nbsp; 3: cisco switch C4507-E, loaded with IOS version&nbsp; Cat4500e-UNIVERSALK9-M, version 03.04 and Supervisor Engine&nbsp; :WS-X45-SUP7-E, is this platform is supported in Cisco TrusctSEC? </P><P></P><P>Please advice, million thanks</P><P></P><P>Noel</P></DIV> Mon, 11 Mar 2019 03:31:27 GMT https://community.cisco.com/t5/network-access-control/ise-support-on-third-party-switch-doing-802-1x-authc-on/m-p/2237701#M136019 yong khang NG 2019-03-11T03:31:27Z https://community.cisco.com/t5/network-access-control/ise-support-on-third-party-switch-doing-802-1x-authc-on/m-p/2237702#M136022 <HTML><HEAD></HEAD><BODY><P>Yes users will be able to authenticate. With MAB you can not use peap because it uses PAP as a authentication type and it is used for devices who doesn't understand 802.1x.</P><P></P><P>looks like it is supported but with few limitation</P><P>The following guidelines and limitations apply to&nbsp; configuring Cisco TrustSec SGT and SGACL on Catalyst&nbsp; WS-X45-SUP7-E/SUP7L-E and WS-C4500X-32 switches: </P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/appb_cat4k.html">http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/appb_cat4k.html</A></P><P></P><P></P><P>Jatin Katyal <BR /> - Do rate helpful posts -</P></BODY></HTML> Sat, 08 Jun 2013 09:49:25 GMT https://community.cisco.com/t5/network-access-control/ise-support-on-third-party-switch-doing-802-1x-authc-on/m-p/2237702#M136022 Jatin Katyal 2013-06-08T09:49:25Z https://community.cisco.com/t5/network-access-control/ise-support-on-third-party-switch-doing-802-1x-authc-on/m-p/2237703#M136036 <HTML><HEAD></HEAD><BODY><DIV><P>Cool Jatin</P><P></P><P>First and foremost, thanks for the replies. </P><P></P><P>The third party LAN switch model mention is 3Com® Baseline Switch 2948-SFP Plus. After reviewing the user manual, it seems like a L2 LAN switch. </P><P></P><P>Acutally, my business requirement can be either:</P><P>a. optimum, the switch support FlexAuth (open mode, then evolve to low impact mode)</P><P>b. due to switch limitation capabilities, as long as it can do 802.1X authentication</P><P></P><P>after&nbsp; review the documentation, i still found out some of the configuration&nbsp; that look like unable to configure on the 3COM switch. </P><P></P><P>example</P><P>a. configure RADIUS setting</P><P>ip radius source-interface</P><P>radius-server attribute 6 on-for-login-auth</P><P>radius-server attribute 8 include-in-access-req</P><P>radius-server attribute 25 access-request include</P><P></P><P>b. identity setting on switch port, to support FlexAuth</P><P>mab</P><P>authentication host-mode multi-auth</P><P>authentication order</P><P></P><P>c. policy enforcement</P><P>radius-server-vsa send authenticaiton</P><P>radius-server-vsa send accounting</P><P></P><P>d. Change of Authorization (COA), the most crucial</P><P>aaa server radius dynamic-author </P><P></P><P>e. dACL apply to the port after authentication, based on authorization profile. </P><P></P><P>So, to hit the baseline, i guess it can do 802.1X authentication but not with FlexAuth feature. </P><P></P><P>For the C4507, thanks for the info. </P><P></P><P>million thanks</P><P></P><P>Noel</P></DIV></BODY></HTML> Sat, 08 Jun 2013 09:54:51 GMT https://community.cisco.com/t5/network-access-control/ise-support-on-third-party-switch-doing-802-1x-authc-on/m-p/2237703#M136036 yong khang NG 2013-06-08T09:54:51Z