https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117213#M324861 <HTML><HEAD></HEAD><BODY><P>I think the same, it is not possible.</P><P></P><P>Since I need to check if the user belongs to some AD group, and I need to check at the same time that the user IP is from specific subnet, then I need to authorize the access to specific VLAN.</P><P></P><P>If the idea of Attribute 8 can work on this scenario, then I need to create an authorization profile for each user on the AD group, and this also is not scalable solution for the ISE, and I think this will not work in DHCP environment.</P><P></P><P>About the "<SPAN style="font-size: 10pt;">tunnel-private-group-id</SPAN><SPAN style="font-size: 10pt;">", according to the RFC2868, it will be sent on the Access-Request, can I sent the original VLAN of the port before the dot1x authentication with this attribute?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Thanks.</SPAN></P><P><SPAN style="font-size: 10pt;">Ahmad.</SPAN></P></BODY></HTML> Sun, 13 Jan 2013 18:25:16 GMT Ahmad Murad 2013-01-13T18:25:16Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117205#M324536 <P>Hello All,</P><P></P><P>I have a question regarding the following scenario:</P><P></P><P>If I have ISE deployment with x endpoint license, I have the following setup:</P><P></P><P>ISE ------- SW ------- IP Phone ------- Hub ------ 4 Devices connected</P><P></P><P>I need to authenticate and profile all 4 devices connected to the Hub, but in the same time, I don't need to authenticate the IP Phone using the ISE since this will consume extra endpoint from the license count, and I need to overcome this scenario.</P><P></P><P>From the configuration point of view, using "authentication host-mode multi-auth" will solve the issue for the devices connected to the Hub, but how I can exclude the IP Phone from the endpoint count from the ISE point of view?</P><P></P><P>Thanks.</P><P>Ahmad.</P> Mon, 11 Mar 2019 02:57:16 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117205#M324536 Ahmad Murad 2019-03-11T02:57:16Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117206#M324538 <HTML><HEAD></HEAD><BODY><P>Are you talking about the advanced or the base license count ?</P></BODY></HTML> Sat, 12 Jan 2013 20:42:42 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117206#M324538 jan.nielsen 2013-01-12T20:42:42Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117207#M324541 <HTML><HEAD></HEAD><BODY><P>You will not be able to bypass this scenario since authentication host mode single mode will allow cdp bypass.<BR /><BR />With multiauth all devices must authenticate much like you mentioned. You will have to purchase or account for your base license being consumed by your ip phone, you can manually import all the phones mac address and you can use mab to authenticate t<BR /><BR /><BR />Sent from Cisco Technical Support Android App</P></BODY></HTML> Sat, 12 Jan 2013 22:11:48 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117207#M324541 Tarik Admani 2013-01-12T22:11:48Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117208#M324553 <HTML><HEAD></HEAD><BODY><P>I'm talking about base and advnaced at the same time. I'm talking about endpoint, not what is the function? the end points connected behind a hub may have posture policy.</P><P></P><P>Thanks.</P><P>Ahmad.</P></BODY></HTML> Sun, 13 Jan 2013 15:39:48 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117208#M324553 Ahmad Murad 2013-01-13T15:39:48Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117209#M324579 <HTML><HEAD></HEAD><BODY><P>Thanks Tarik, with this setup and the command "<SPAN style="font-size: 10pt;">authentication host-mode multi-auth</SPAN><SPAN style="font-size: 10pt;">", all the devices behind the IP Phone will be authenticated, and also the IP phone also must be counted on the license number, even we authenticate it using dot1x or we use MAB for it.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Also I can use the MAB for the devices connected to the same hub if I have printer, scanners or any device that does not support dot1x, right ?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Thanks.</SPAN></P><P><SPAN style="font-size: 10pt;">Ahmad.</SPAN></P></BODY></HTML> Sun, 13 Jan 2013 15:54:26 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117209#M324579 Ahmad Murad 2013-01-13T15:54:26Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117210#M324611 <HTML><HEAD></HEAD><BODY><P>That is correct, but the only issue you run into is being able to place the "data" devices on different vlans. So if a computer plugs in and needs to have guest access, they will be placed on the same vlan as the first device that connects to it.</P><P></P><P>Here is some reference material on that scenario. </P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_2_se/configuration/guide/sw8021x.html#wp1347331">http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_2_se/configuration/guide/sw8021x.html#wp1347331</A></P><P></P><P>Thanks,</P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Sun, 13 Jan 2013 16:30:39 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117210#M324611 Tarik Admani 2013-01-13T16:30:39Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117211#M324712 <HTML><HEAD></HEAD><BODY><P>Thanks again Tarek, yes it is logical that all the devices behind will be authenticated and authorized to the same VLAN since we are dealing with access-port here from the switch point of view.</P><P></P><P>I have a question out of the context, can I have a rule to check the subnet of the user and the AD group at the same time, I mean if the user subnet is 10.0.0.0/24 and belongs to AD group "IT" then the authorization will be VLAN25, if he belongs to different subnet (10.0.1.0/24) but the same AD group then the authorization will be VLAN50.</P><P></P><P>I have read but not sure if I can use Radius IP framed and Framed subnet will help or not?</P><P></P><P><SPAN style="font-size: 10pt;">Thanks.</SPAN></P><P>Ahmad.</P></BODY></HTML> Sun, 13 Jan 2013 17:49:05 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117211#M324712 Ahmad Murad 2013-01-13T17:49:05Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117212#M324777 <HTML><HEAD></HEAD><BODY><P>This may not be possible due to the fact that dot1x authentication sends the client's mac address in the calling station id attribute. When using web authentication, or vpn authentication would expect this value to be the client's ip address.</P><P></P><P>The framed ip address is an accounting attribute (based on my knowledge) and usually takes place after authentication. However I know that the tunnel-private-group-id (user or port vlan) is sent in the access-request. Would that help in your scenario?</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/ios/12_2t/12_2t11/feature/guide/radattr8.html#wp1023050">http://www.cisco.com/en/US/docs/ios/12_2t/12_2t11/feature/guide/radattr8.html#wp1023050</A></P><P></P><P>Thanks,</P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Sun, 13 Jan 2013 17:53:53 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117212#M324777 Tarik Admani 2013-01-13T17:53:53Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117213#M324861 <HTML><HEAD></HEAD><BODY><P>I think the same, it is not possible.</P><P></P><P>Since I need to check if the user belongs to some AD group, and I need to check at the same time that the user IP is from specific subnet, then I need to authorize the access to specific VLAN.</P><P></P><P>If the idea of Attribute 8 can work on this scenario, then I need to create an authorization profile for each user on the AD group, and this also is not scalable solution for the ISE, and I think this will not work in DHCP environment.</P><P></P><P>About the "<SPAN style="font-size: 10pt;">tunnel-private-group-id</SPAN><SPAN style="font-size: 10pt;">", according to the RFC2868, it will be sent on the Access-Request, can I sent the original VLAN of the port before the dot1x authentication with this attribute?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Thanks.</SPAN></P><P><SPAN style="font-size: 10pt;">Ahmad.</SPAN></P></BODY></HTML> Sun, 13 Jan 2013 18:25:16 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117213#M324861 Ahmad Murad 2013-01-13T18:25:16Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117214#M324992 <HTML><HEAD></HEAD><BODY><P>Yes the switch sends this in the initial access-request to see which vlan the client is trying to connect to. Keep in mind with ISE you can assign user vlans so in your scenario you can set the default vlan to a dummy vlan (or even guest). From there you can assign the vlan using the radius attributes and also use other scenarios: ie. Network device location (for example Dallas), and AD group (for example IT). Then hand back the result of VLAN 100.</P><P></P><P>The dot1x authentication is tunneled through the radius packet as an AV Pair, you have dot1x which is the L2 transport between switch and client, then you have that encapsulated within a radius packet which uses L3 between switch and radius server.</P><P></P><P>When dot1x is configured this in turn triggers a radius transaction between the switch and radius server.</P><P></P><P>I hope that helps.</P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Sun, 13 Jan 2013 19:44:40 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117214#M324992 Tarik Admani 2013-01-13T19:44:40Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117215#M325057 <HTML><HEAD></HEAD><BODY><P>Thanks Tarik for this valuable discussions, appreciated.</P><P></P><P>Thanks.</P><P>Ahmad.</P></BODY></HTML> Mon, 14 Jan 2013 07:15:57 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-with-ip-phone-and-hub-connected-behind/m-p/2117215#M325057 Ahmad Murad 2013-01-14T07:15:57Z