https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4180425#M563676 <P>This is all covered step by step in<A href="https://community.cisco.com/t5/security-documents/cisco-ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_self">&nbsp;ISE Secure Wired Access Prescriptive Deployment Guide</A></P> Sun, 08 Nov 2020 05:29:43 GMT thomas 2020-11-08T05:29:43Z https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4176166#M563578 <P>Hello,</P><P>I am looking to configure MAC-Authentication in our switches. Do you have any interface config you can share that is used in the production environment? Below is what I have so far. Am I missing anything or needs to be removed? What about some sort of timeout settings we can use?&nbsp;</P><P>&nbsp;</P><P>interface Gi1/0/1<BR />switchport mode access<BR />switchport access vlan 20<BR />switchport voice vlan 30<BR />authentication control-direction in<BR />authentication event server dead action authorize<BR />authentication event server dead action authorize voice<BR />authentication event server alive action reinitialize<BR />authentication host-mode multi-domain<BR />authentication order mab<BR />authentication priority mab<BR />authentication port-control auto<BR />authentication periodic<BR />authentication timer reauthenticate server<BR />authentication timer restart 1<BR />mab<BR />spanning-tree portfast</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 29 Oct 2020 22:21:50 GMT https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4176166#M563578 tlxbx 2020-10-29T22:21:50Z https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4176206#M563580 <P>High level your configuration is ok.</P> <P>&nbsp;</P> <P>but if this first-time deployment and testing, i will start with basic config and add more options as move one..since if it is not working you get hard time to what line causing the issue.</P> <P>&nbsp;</P> <P>so start with below :</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html" target="_blank">https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html</A></P> Fri, 30 Oct 2020 02:35:36 GMT https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4176206#M563580 balaji.bandi 2020-10-30T02:35:36Z https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4176390#M563582 <P>Agreeing with&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/286878">@balaji.bandi</a>&nbsp;to start with less, test, and build from there.&nbsp; Are you planning on allowing both a data and voice device on same port?&nbsp; Here is a breakdown of the different host modes for a better understanding:</P> <P class="pBu1_Bullet1">Single-host mode:</P> <P class="pB2_Body2">In single-host mode, only a single MAC or IP address can be authenticated by any method on a port. If a different MAC address is detected on the port after an endpoint has authenticated with 802.1X, MAB, or Web Authentication, a security violation is triggered on the port. This is the default behavior.</P> <P class="pBu1_Bullet1">Multi-domain-authentication (MDA) host mode:</P> <P class="pB2_Body2">MDA was specifically designed to address the requirements of IP telephony in an 802.1X environment. When MDA is configured, two endpoints are allowed on the port: one in the voice VLAN, and one in the data VLAN. Additional MAC addresses trigger a security violation.</P> <P class="pBu1_Bullet1">Multi-auth host mode:</P> <P class="pB2_Body2">If the port is configured for multi-auth mode, multiple endpoints can be authenticated in the data VLAN. Each new MAC address that appears on the port is separately authenticated. Multi-auth can be used for bridged virtual environments or to support hubs.</P> <P class="pBu1_Bullet1">Multi-host mode:</P> <P class="pB2_Body2">Unlike multi-auth host mode, which authenticates every MAC address, multi-host mode authenticates the first MAC address and then allows an unlimited number of other MAC addresses. Because of the security implications of multi-host, multi-auth is typically a better choice than multi-host.</P> <P class="pB2_Body2">HTH!</P> Fri, 30 Oct 2020 12:26:50 GMT https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4176390#M563582 Mike.Cifelli 2020-10-30T12:26:50Z https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4176448#M563585 <P>thank you both. what would be a simple config as i am new to this?</P> Fri, 30 Oct 2020 13:59:06 GMT https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4176448#M563585 tlxbx 2020-10-30T13:59:06Z https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4176782#M563591 <P>The basic config was available the URL was posted before on other thread (look at the URL Botom of the page)</P> <P>&nbsp;</P> <P>Main this as mentioned by&nbsp;&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/833210">@Mike.Cifelli</a>&nbsp; what kind of deployment you have based on that config should go into interface config.</P> <P>&nbsp;</P> <P>here is a good explanation of each one for your reference ( as mentioned go with the basic config build from there)</P> <P><A href="http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x" target="_blank">http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x</A></P> Sat, 31 Oct 2020 08:55:39 GMT https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4176782#M563591 balaji.bandi 2020-10-31T08:55:39Z https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4177407#M563606 <P>Thank you. I enjoyed reading the document and cleared many questions I had.</P><P>I want to follow up on "2.4.6 Inaccessible RADIUS Server". How can I configure the switch to detect if our RADIUS server goes down so we can take action to put clients on same vlans configured on the ports?</P> Mon, 02 Nov 2020 14:50:36 GMT https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4177407#M563606 tlxbx 2020-11-02T14:50:36Z https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4177567#M563611 <P>You have the ability to configure AAA dead-server detection.&nbsp; See here for more detail:&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-aaa-dead-server.html#GUID-46F1AAA9-273A-4DAF-9A1D-4354D335848F" target="_blank">https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-aaa-dead-server.html#GUID-46F1AAA9-273A-4DAF-9A1D-4354D335848F</A>. HTH!</P> Mon, 02 Nov 2020 20:18:10 GMT https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4177567#M563611 Mike.Cifelli 2020-11-02T20:18:10Z https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4180425#M563676 <P>This is all covered step by step in<A href="https://community.cisco.com/t5/security-documents/cisco-ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_self">&nbsp;ISE Secure Wired Access Prescriptive Deployment Guide</A></P> Sun, 08 Nov 2020 05:29:43 GMT https://community.cisco.com/t5/network-access-control/mac-auth-interface-config/m-p/4180425#M563676 thomas 2020-11-08T05:29:43Z