https://community.cisco.com/t5/network-access-control/enroll-a-mgt-port-as-dot1x-supplicant-client-to-ad/m-p/3959370#M455609 <P>Hi everybody</P><P>&nbsp;</P><P>I'm building a lab to test the authentication methodes of all connected clients in our company (cameras, fire access points, PC, IP phones, APs., technical devices..etc) to our IP N/W. To do that I've&nbsp;a C3650-24 switch acting as authenticator on which I configured port24 as SPAN for wireshark, I've also&nbsp;a Cisco ISE as test Radius/ Tacacs as authentication server (with AD) and the Infoblox as DHCP/DNS servers. I try to&nbsp;test dot1x compatibility of&nbsp;client devices or for legacy ones fixed IP, the&nbsp;alternative MAB authentication methode.</P><P>&nbsp;</P><P>Before testing real client devices, I've choosen a C3650s as generic test device&nbsp;and its Ethernet&nbsp;Management port on which I can give a static IP or DHCP reservation IP config and to simulate its authentication with dot1x or with its mac add (for MAB), all works fine with MAB except that I cannot install a dot1x certificat on that management port and I don't know if it's really possible to make it configured as a supplicant&nbsp;candidate to&nbsp;enroll for a dot1x certificate over the company's AD and ISE, any idea is very welcome</P> Fri, 15 Nov 2019 15:30:27 GMT Zarra 2019-11-15T15:30:27Z https://community.cisco.com/t5/network-access-control/enroll-a-mgt-port-as-dot1x-supplicant-client-to-ad/m-p/3959370#M455609 <P>Hi everybody</P><P>&nbsp;</P><P>I'm building a lab to test the authentication methodes of all connected clients in our company (cameras, fire access points, PC, IP phones, APs., technical devices..etc) to our IP N/W. To do that I've&nbsp;a C3650-24 switch acting as authenticator on which I configured port24 as SPAN for wireshark, I've also&nbsp;a Cisco ISE as test Radius/ Tacacs as authentication server (with AD) and the Infoblox as DHCP/DNS servers. I try to&nbsp;test dot1x compatibility of&nbsp;client devices or for legacy ones fixed IP, the&nbsp;alternative MAB authentication methode.</P><P>&nbsp;</P><P>Before testing real client devices, I've choosen a C3650s as generic test device&nbsp;and its Ethernet&nbsp;Management port on which I can give a static IP or DHCP reservation IP config and to simulate its authentication with dot1x or with its mac add (for MAB), all works fine with MAB except that I cannot install a dot1x certificat on that management port and I don't know if it's really possible to make it configured as a supplicant&nbsp;candidate to&nbsp;enroll for a dot1x certificate over the company's AD and ISE, any idea is very welcome</P> Fri, 15 Nov 2019 15:30:27 GMT https://community.cisco.com/t5/network-access-control/enroll-a-mgt-port-as-dot1x-supplicant-client-to-ad/m-p/3959370#M455609 Zarra 2019-11-15T15:30:27Z https://community.cisco.com/t5/network-access-control/enroll-a-mgt-port-as-dot1x-supplicant-client-to-ad/m-p/3959869#M455611 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/934420">@Zarra</a>&nbsp;,</P> <P>&nbsp;</P> <P>You can try the&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html" target="_blank" rel="noopener">NEAT</A>&nbsp; configuration (highly complicated). But if you are simply doing a test for 802.1x and MAB, using a switch as a test device is really not the ideal candidate. Trust me.</P> <P>Moreover, this is not a 'real-world scenario', even for your own customer.</P> <P>You can use any PC, even the one you are using to logging into the switch <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 17 Nov 2019 14:23:08 GMT https://community.cisco.com/t5/network-access-control/enroll-a-mgt-port-as-dot1x-supplicant-client-to-ad/m-p/3959869#M455611 Anurag Sharma 2019-11-17T14:23:08Z