topic Re: ISE authenticating Guest VMs in Network Access Control

ISE authenticating Guest VMs

Cory Peterson — Thu, 21 Jun 2018 21:55:13 GMT

Can anyone confirm if this comment is correct or not? I have never heard this statement before and have authenticated Guest VMs many times in the past. I recently ran in to an issue where some of the guests are not even showing in the auth session database on the switch or ISE and reached out to TAC.

"Dot1x or MAB authentication for VMs is known for not working properly or not working at all, and is not supported."

Thank You,

-Cory

Re: ISE authenticating Guest VMs

paul — Fri, 22 Jun 2018 02:44:30 GMT

Hmm in bridged mode the guest VMs should have unique MACs and show up on the switch port to be authenticated. In NAT mode only the host's MAC would show up. Are you seeing the MAC's show up on the switch port when you so "show auth session" or "show access-session"?

Re: ISE authenticating Guest VMs

Cory Peterson — Fri, 22 Jun 2018 06:13:47 GMT

I see all the MACs in the cam tables but only some of the MACs in the auth session table. It is not any set amount missing between different ports either, Some have 6 of 8 Authenticating others have 4 of 8 authenticating.

The reason I asked about the comment in bold is that is what TAC sent me in an email and I have never seen that mentioned in all the posts here about Authenticating Guest VMs on an access port.

Re: ISE authenticating Guest VMs

hslai — Fri, 22 Jun 2018 20:36:59 GMT

This is the first I heard of it. If possible, please share the TAC case number so we may take a look and see more context.

Re: ISE authenticating Guest VMs

Cory Peterson — Fri, 22 Jun 2018 21:59:42 GMT

We have not done much with the case yet but collect logs and Show Tech, and before we did much I got that response from TAC.

TAC Case#684675337

Thanks for looking in to this!

Re: ISE authenticating Guest VMs

hslai — Sat, 23 Jun 2018 02:14:03 GMT

I see your case has all mac addresses in "show mac add int <>" but not in "show auth sessions int <>". If possible, I would suggest to try (1) a hub and some physical wired devices on the same 4510R+E with Sup8-E and (2) a different switch model, such as 3650. This is likely a bug on the switch platform.

The VM issues I usually running into in our lab are because they are connecting to a VMware port-group, which in turn to the VMware vSwitch and then to the physical interface. Thus, we usually need to use some particular means to get DOT1X to work, especially with the native supplicants, or they would fail over to MAB.

I tried 9 clients on the same interface of 3650 (on 3.6.3E) in our lab and all showed up in both "show auth sessions int <>" and "show mac add int <>".

Re: ISE authenticating Guest VMs

Damien Miller — Mon, 25 Jun 2018 04:05:59 GMT

Cory, Hit me up on Skype tomorrow, I have dealt with some interesting behavior with vmware over the past couple years. We can at least go over my lessons learned and maybe something will relate to the issue you are having.

Re: ISE authenticating Guest VMs

thomas — Mon, 25 Jun 2018 16:55:10 GMT

Cory, we have always used Windows VMs for our ISE Sales Trainings so you absolutely can do it!

The key is to directly map a VM to a specific physical port (wireless/wired USB dongle, UCS ethernet port, etc.).

Altenatively, ensure you have bridged the VMware NIC to the host computer NIC.

Do not use VMware NAT! If you use VMware NAT, the VM's MAC will not show on the port and all traffic will look like that of the host computer.