https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4549313#M572700 <P>&nbsp;</P><P>Thank you Arne, yes, agree, the key is that they a device needs to have the supplicant installed. The alternative is MAB. However, isn't it also possible to install a temporary web-based client through posture/provisioning /remediation provided that the client is non-compliant?</P><P>&nbsp;</P><P>Regards,</P><P>Netmart</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 10 Feb 2022 05:35:09 GMT Netmart 2022-02-10T05:35:09Z https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4546371#M572609 <P>Hello,</P><P>I am wondering, whether the following interface config would allow access of phone and workstation to network, meaning do they get successfully authenticated via ISE:</P><P>&nbsp;</P><P>Interface Te1/12</P><P>description ISE dot1x Port</P><P>switchport access vlan 10</P><P>&nbsp;switchport mode access</P><P><STRONG>switchport voice vlan20</STRONG></P><P>device-tracking attach-policy IPDT_MAX_3</P><P><STRONG>authentication periodic</STRONG></P><P><STRONG>authentication timer reauthenticate server</STRONG></P><P><STRONG>access-session host-mode </STRONG><STRONG>multi-domain</STRONG></P><P><STRONG>access-session port-control auto</STRONG></P><P>snmp trap mac-notification change added</P><P>snmp trap mac-notification change removed</P><P class="lia-align-left"><STRONG><I>d</I></STRONG><STRONG>ot1x </STRONG><STRONG>pae</STRONG><STRONG> authenticator</STRONG></P><P>dot1x timeout tx-period 7</P><P>dot1x mac-reauth-req 3</P><P>Spanning-tree portfast</P><P><STRONG>service-policy type control subscriber </STRONG>POLICY_Te1/12</P><P>&nbsp;</P><P>Thank you for your advice.</P> Sun, 06 Feb 2022 21:40:55 GMT https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4546371#M572609 Netmart 2022-02-06T21:40:55Z https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4546403#M572610 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/244740">@Netmart</a>&nbsp;,<BR /><BR />Can you share what is inside the service policy&nbsp;<SPAN>POLICY_Te1/12 ?<BR /><BR /></SPAN></P> Mon, 07 Feb 2022 04:32:38 GMT https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4546403#M572610 Amine ZAKARIA 2022-02-07T04:32:38Z https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4546572#M572617 <P><SPAN>I am wondering, whether the following interface config would allow access of phone and workstation to network</SPAN></P> <P>-You are attempting to operate with the correct mode:&nbsp;<STRONG>access-session host-mode<SPAN>&nbsp;</SPAN></STRONG><STRONG>multi-domain</STRONG> =&nbsp;<SPAN>Specifies that only one client per domain (DATA or VOICE) can be authenticated at a time.&nbsp; However, you will need to test because we cant see what is in the service policy attached to interface.</SPAN></P> Mon, 07 Feb 2022 12:37:48 GMT https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4546572#M572617 Mike.Cifelli 2022-02-07T12:37:48Z https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4549065#M572697 <P>The switch port config shown will only process 802.1X frames (EAPOL). If any attached devices do not have a supplicant, then they won't be authorized onto either DATA or VOICE Domain. If you need to process non-supplicant devices, then also add the MAB command to the interface.</P> Wed, 09 Feb 2022 23:02:41 GMT https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4549065#M572697 Arne Bier 2022-02-09T23:02:41Z https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4549313#M572700 <P>&nbsp;</P><P>Thank you Arne, yes, agree, the key is that they a device needs to have the supplicant installed. The alternative is MAB. However, isn't it also possible to install a temporary web-based client through posture/provisioning /remediation provided that the client is non-compliant?</P><P>&nbsp;</P><P>Regards,</P><P>Netmart</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 10 Feb 2022 05:35:09 GMT https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4549313#M572700 Netmart 2022-02-10T05:35:09Z https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4549315#M572701 <P>Hi Mike,</P><P>Thank you for clarification.</P><P>Only the wording is still a bit confusing to me.</P><P>"only one client per DATA or VOICE domain can be authenticated at a time.</P><P>Meaning only a PC OR&nbsp; phone can run at a time on the port</P><P>or</P><P>Only one PC AND Phone can run per time at a port?</P><P>&nbsp;</P><P>Regards,</P><P>Martin</P> Thu, 10 Feb 2022 05:38:50 GMT https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4549315#M572701 Netmart 2022-02-10T05:38:50Z https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4549410#M572709 <P>multi-domain is one of a variety of security mechanism that limits the number of MAC addresses that will be learned on that interface. In this case, multi-domain means,</P> <P>1 MAC address in the DATA domain</P> <P>1 MAC address in the VOICE domain</P> <P>If you were to violate that by assigning the phone to a VLAN in the DATA domain, and then also attaching a PC to the phone's data port, then the switch will err-disable the port because now you'll have 2 MAC addresses in the DATA domain. Or, more commonly, if you attach a small hub or switch to the phone, thinking you can hook a few devices up ... it won't work.</P> <P>The are other options like multi-host, etc. - you can google it</P> Thu, 10 Feb 2022 09:09:00 GMT https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4549410#M572709 Arne Bier 2022-02-10T09:09:00Z https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4549416#M572710 <P>If a client doesn't have a supplicant, then it will never speak EAPOL (EAP over LAN). This is a layer 2 protocol. You either have it or you don't. If you don't, then the switch will accept "normal" traffic when mab is enabled on that port. Switch sends MAC address to ISE to authorize and if successful then the port is authorized and then it's business as usual (DHCP etc.). What the client then does with a web based client etc. all runs while the port is in MAB auth'd mode.&nbsp; And you can do whatever compliance checks you need/like. If the client is found to be non-compliant then you can reauth it and stick the device into another VLAN. Problem with VLAN switching in that scenario (where the PC already has an IP address via DHCP) is that you'd probably need to bounce the port to force the client to perform DHCP again.</P> Thu, 10 Feb 2022 09:14:16 GMT https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4549416#M572710 Arne Bier 2022-02-10T09:14:16Z https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4549800#M572720 <P>Thank you for clearing this up..</P><P>The figure below actually actually illustrating your findings.</P><P>By default, 802.1x only EAP is allowed, Authentication Open all ports allowed, or if no supplicant [no EAPOL] MAB is the alternative.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="802.1x.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/143527i87A3E4FF0D384279/image-size/large?v=v2&amp;px=999" role="button" title="802.1x.png" alt="802.1x.png" /></span></P> Thu, 10 Feb 2022 18:02:01 GMT https://community.cisco.com/t5/network-access-control/802-1x-device-authentiction-with-ise/m-p/4549800#M572720 Netmart 2022-02-10T18:02:01Z