topic Re: ISE Switch Setup with Port Security in Network Access Control

ISE Switch Setup with Port Security

mwalsh3 — Fri, 19 Feb 2016 14:29:54 GMT

Team,

Do we have any specific recommendations/best practices/caveats in doing 802.1x on switch ports with port security. Customer is experiencing some issues, we are working with TAC, but just wanted to understand if there was a standard stance on having both configured.

StartFragment

switchport access vlan 3025

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security aging type inactivity

authentication control-direction in

authentication host-mode multi-auth

authentication open

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

storm-control broadcast level 10.00 3.00

storm-control action trap

spanning-tree portfast

spanning-tree bpduguard enable

EndFragment

Re: ISE Switch Setup with Port Security

Timothy Abbott — Fri, 19 Feb 2016 22:11:11 GMT

Michael,

Using port security with 802.1X is not supported with ISE. We recommend using either one or the other but not both.

Regards,

-Tim

Re: ISE Switch Setup with Port Security

mwalsh3 — Fri, 19 Feb 2016 22:20:55 GMT

Thanks Tim. I thought that our stance on that had changed. Appreciate the

info.

Mike Walsh

Consulting Systems Engineer

Enterprise Security Team

.:|:.:|:. Cisco

www.cisco.com/go/security

Re: ISE Switch Setup with Port Security

Timothy Abbott — Fri, 19 Feb 2016 22:24:50 GMT

You're welcome. If I'm mistaken, maybe one of the team will correct me.

Regards,

-Tim

Re: ISE Switch Setup with Port Security

Jason Kunst — Sat, 20 Feb 2016 10:48:47 GMT

It's not a matter of supporting it from ISE

This is an IBNS (switch) feature and requirement that port security and dot1x cannot be mixed

Not sure it makes sense anyway as long as you're authenticating securely why the limit?

I would reach out to them and explain

Re: ISE Switch Setup with Port Security

mwalsh3 — Sat, 20 Feb 2016 15:06:48 GMT

Thanks Jason. We did indicate that to the customer in terms of not needing

port security with 802.1x. So likely some more education needs to go on

there, but the customer told us that they found some sort of documentation

indicating the 2 configurations can coexist (and we thought maybe we had

heard something similar). So we will have them provide that documentation

so we can review it, but wanted to start by making sure what our current

stance was on this.

Thanks again.

Mike Walsh

Consulting Systems Engineer

Enterprise Security Team

Re: ISE Switch Setup with Port Security

Johannes Luther — Mon, 07 Aug 2017 14:11:27 GMT

Hi ... it has been over a year since the last reply in this thread. However, here's a follow up:

What's the official position on this right now? Is port-security supported in combination with multi-auth on the Catalyst switches (e.g. 2960-X). To be more precise I'm using c3pl (IBNS2).

Or the other way around: How do I restrict the number of MACs on a multi-auth port?

Re: ISE Switch Setup with Port Security

Alex Martin — Tue, 16 Jan 2018 19:18:04 GMT

I too would like to know the answer to your question. It seems odd to me that from a security perspective Cisco is saying you cannot secure the port with limiting layer 2 because we are authenticating devices with ISE.

What is going to stop a device from doing a MAC address flood attack on a port that is set for multi-auth?

Re: ISE Switch Setup with Port Security

gbekmezi-DD — Tue, 16 Jan 2018 20:54:07 GMT

multi-auth impies each MAC address is authenticated. It’s a rare case where authenticated endpoints are producing a flood attack. If the endpoint is authenticated and malicious, I’d be concerned about many other potential problems. I can see multi-host as a potential flooding concern, but the solution to that would be to not use multi-host .

Re: ISE Switch Setup with Port Security

twiggles — Wed, 17 Jan 2018 22:59:13 GMT

I agree with George. Port security is, IMO, a clumsier method of solving the same problem. Not only can you filter on the same mechanism in ISE (MAC address), you can filter on things like CDP and SNMP data now, or certificates. By implementing two solutions to the same problem you complicate troubleshooting and expose yourself to another branch of code that might have bugs.

Re: ISE Switch Setup with Port Security

sameeh.pp — Sat, 03 Feb 2018 09:57:28 GMT

Just thought it might be worth sharing, how in our network, a well authenticated cisco phone , brought whole network down.

Cisco phone was authenticated by ISE, with MAB, using in built profile of ISE

This phone model was effected with a bug, where in it stops the flow of bpdu from its data port to pc port.

An innocent end user [who doesnt know] connected this phone to network with both pc and data port, [instead of connecting pc to pc port]

Switch's STP function or bpdu guard can't help now, as there is no bpdu, they are filtered by buggy phone, and the data is looping

So, now there is undetected loop here, and via this loop, all the other authenticated mac address's are jumping back and forthe between ports, which caused CPU hike and network outage.

Though multi-auth, buggy phone, and inncocent end user contributed here in creating this loop[it indeed is a rare combination, but i have seen some other industrial type end devices as well doing this bpdu filtering], was wondering if port security had been there, it might have stopped this, as i could have put restriction in terms of number of mac addresses.

Any thought, which would help in this scenario

Re: ISE Switch Setup with Port Security

Jason Kunst — Sat, 03 Feb 2018 17:32:40 GMT

I would recommend reaching out to the switching team

Re: ISE Switch Setup with Port Security

mellalBrahim — Wed, 15 Feb 2023 15:50:09 GMT

hello,

i had the same issue, when the both are configured the ISE users are authentification periodically, and every time they disconnected. till i have disable the port security on the access ports.

so it is not support to enable the both on the same access port.

regards.

Re: ISE Switch Setup with Port Security

dfeliz_TJS — Sun, 23 Feb 2025 04:05:59 GMT

I know this is an old post, but multiple people are still looking into mixing ISE and port-security. I agree that it is rare for an authenticated device to flood the network. However, a MAC address flood attack on an ISE-protected port in multi-auth mode can inflate the ISE database of known devices. I have seen instances where an Apple device with a USB Ethernet dongle and enabled MAC randomization inflated the ISE known devices by 20,000 MAC addresses in a relatively short period. This was not an attack but a malfunctioning device. Some USB Ethernet adapters, particularly third-party ones, may not handle MAC addresses consistently. Each random MAC address triggers a new MAB request to Cisco ISE, resulting in thousands of authentication attempts. This behavior was prevented by adding port-security interface GigabitEthernet1/0/1
switchport mode access
switchport port-security
switchport port-security maximum 5
no switchport port-security mac-address sticky
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security violation restrict