topic Re: MAC Pass-Through with EAP TLS in Network Access Control

MAC Pass-Through with EAP TLS

Anthony O'Reilly — Mon, 28 Mar 2022 20:51:13 GMT

Hi,

We have a two-node ISE deployment. Version 2.7 Patch 5.

Originally we deployed dot1x using MAR. We were also using ISE for Guest, BYOD and Corporate Access. We had mixed results using MAR. We also had to enable mac pass-through on Lenovo laptops.

Due to the issues with MAR, we deployed EAP-TLS for all dot1x supplicants. The customer is now deploying new Lenovo laptops.

We am having connectivity issues when going via Docking station to direct Ethernet connectivity and back to the Docking station.

When we are using EAP-TLS, is there any requirement for enabling mac pass-through? Do we still need this?

Thanks

Anthony.

Re: MAC Pass-Through with EAP TLS

Arne Bier — Tue, 29 Mar 2022 22:51:36 GMT

Hello @Anthony O'Reilly

You asked: "When we are using EAP-TLS, is there any requirement for enabling mac pass-through? Do we still need this?"

The MAC Passthrough is primarily there to stop the docking station from interfering with its own MAC address during any kind of authentication where the MAC address of the endpoint is important (and used in Authorization). If you're doing good old EAP-TLS then I don't believe the MAC address of the endpoint is of any concern. You might find though that if MAC Passthrough is not enabled then ISE might collect more endpoints than required, since it will also collect the MAC address of the docking station. Either way, the sooner we get away from using MAC addresses for any kind of authentication, the better. A unique device identifier would be much more useful, but it requires the endpoints to supply that data to the Authenticating Server (ISE).

Re: MAC Pass-Through with EAP TLS

Anthony O'Reilly — Tue, 12 Apr 2022 15:35:12 GMT

@Arne Bier Thanks Arne,

I've tested this over the last week and it is working ok. Thanks for your quick response.