https://community.cisco.com/t5/network-access-control/restrict-authentication/m-p/3846890#M24816 <P>Hi</P><P>Can we Restrict a client to authenticate on just one physical port?</P><P>that's mean the client cannot change its own physical port on a switch.</P><P>&nbsp;</P> Mon, 29 Apr 2019 05:10:43 GMT mortezasadeghi 2019-04-29T05:10:43Z https://community.cisco.com/t5/network-access-control/restrict-authentication/m-p/3846890#M24816 <P>Hi</P><P>Can we Restrict a client to authenticate on just one physical port?</P><P>that's mean the client cannot change its own physical port on a switch.</P><P>&nbsp;</P> Mon, 29 Apr 2019 05:10:43 GMT https://community.cisco.com/t5/network-access-control/restrict-authentication/m-p/3846890#M24816 mortezasadeghi 2019-04-29T05:10:43Z https://community.cisco.com/t5/network-access-control/restrict-authentication/m-p/3846904#M24819 <P>you would need to set up dot1x authentication, port based</P> Mon, 29 Apr 2019 05:40:05 GMT https://community.cisco.com/t5/network-access-control/restrict-authentication/m-p/3846904#M24819 Dennis Mink 2019-04-29T05:40:05Z https://community.cisco.com/t5/network-access-control/restrict-authentication/m-p/3846924#M24823 <P>We need to know your environement, Do you have ISE or any Authentication in your environment. then&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/322101">@Dennis Mink</a>&nbsp; suggested how you can do,&nbsp;</P> <P>&nbsp;</P> <P>If not only MAC Filter can help you.</P> <P>&nbsp;</P> Mon, 29 Apr 2019 06:13:57 GMT https://community.cisco.com/t5/network-access-control/restrict-authentication/m-p/3846924#M24823 balaji.bandi 2019-04-29T06:13:57Z https://community.cisco.com/t5/network-access-control/restrict-authentication/m-p/3846974#M24827 <HR /><P>hi&nbsp;<SPAN>&nbsp;</SPAN><A href="https://community.cisco.com/t5/user/viewprofilepage/user-id/322101" target="_self"><SPAN class="">Dennis Mink</SPAN></A></P><P>I know.</P><P>But I'm asking how can I restrict the user. When they change their physical port, their device will not be authenticated.</P> Mon, 29 Apr 2019 08:09:43 GMT https://community.cisco.com/t5/network-access-control/restrict-authentication/m-p/3846974#M24827 mortezasadeghi 2019-04-29T08:09:43Z https://community.cisco.com/t5/network-access-control/restrict-authentication/m-p/3846977#M24831 <P>We have Cisco ACS</P> Mon, 29 Apr 2019 08:12:21 GMT https://community.cisco.com/t5/network-access-control/restrict-authentication/m-p/3846977#M24831 mortezasadeghi 2019-04-29T08:12:21Z https://community.cisco.com/t5/network-access-control/restrict-authentication/m-p/3847143#M24835 You have a couple of options. The easy thing would be to do port security on the physical interface. However, port security &amp; 8021x typically are not the best when playing together and in my opinion most people would say not to use both together. You could have your policy server deploy policy as you would with ISE or ACS. I think in order to meet your requirement you could eliminate relying on ISE/ACS and statically configure your one port for you one host with whatever policy you want to include vlan etc. You could then configure the other ports on the switch to use policy from AAA server &amp; ensure the one host you do not want to migrate is not a part of any groups on the AAA server so even if the host moved from one interface to another it would fail authentication/authorization and no longer be on the network. Mon, 29 Apr 2019 13:05:49 GMT https://community.cisco.com/t5/network-access-control/restrict-authentication/m-p/3847143#M24835 Mike.Cifelli 2019-04-29T13:05:49Z