topic Re: Cisco NAC and MACSEC Switch connection in Network Access Control

Cisco NAC and MACSEC Switch connection

Davis-Revent-12 — Wed, 16 Apr 2025 12:25:45 GMT

Hi Cisco NAC peeps

We have an existing deployment using Cisco NAC configured on cat ios-xe switches i.e. 9400 that have NAC enabled access interfaces for authentication via Cisco ISE using 802.1x cert auth for PCs and mab authentication for other devices.

My questions are

1) If we connect a new access layer switch from a new site - call it site 2 across the road using fiber to the existing site 1 FD switch will NAC still work on it still if we connect at layer 2 and enable psk mac sec between the switch's trunk links connecting site 1 to site 2 which is network-link mode and with the access ports on the new site 2 switch enabled with NAC on the access interfaces also ?

2) Can we also connect off the new site 2 switch another switch off it i.e. daisy chain on layer 2 and run nac .

so, it would be connected as: site 1 switch FD <> site 2 switch A <> site 2 switch B.

I am fairly sure it will still work with NAC etc. but just seeing if anything would be an issue - Apart from the obvious potential bottleneck on the first switch 2 uplinks to switch 1 FD switch

Any comments would be welcome

Thanks

Re: Cisco NAC and MACSEC Switch connection

Rob Ingram — Wed, 16 Apr 2025 13:21:51 GMT

@Davis-Revent-12 I don't foresee a problem with this, MACsec will be enabled on the interfaces connecting the switches and NAC (802.1X/MAB) enabled on the switchports the endpoints are connected too. The switches will need a mgmt IP address to be able to communicate with ISE using RADIUS and configured for NAC.

Yes you can daisy chain another switch, just don't enable NAC on the interfaces between switches.

Re: Cisco NAC and MACSEC Switch connection

ahollifield — Wed, 16 Apr 2025 13:34:59 GMT

Should be no issue.

Re: Cisco NAC and MACSEC Switch connection

Davis-Revent-12 — Thu, 17 Apr 2025 02:32:52 GMT

Hi Rob

Thanks for the confirming what I thought also. Yeah I cannot see why it would not work., Noted also on not enabling NAC on any of the switch to switch connections be it they use macsec or not .

So our connection would be something along these lines

Site 1 FD switch <Fiber with macseclink> Site 2 switch A <Fiber link> Site 2 Switch B .

Site 2 switches access ports only enabled with NAC

Cheers

Re: Cisco NAC and MACSEC Switch connection

Davis-Revent-12 — Thu, 17 Apr 2025 02:24:44 GMT

Thanks for responding back also and confirming as such

Cheers