topic Re: ISE and switch connected to floorbox socket in Network Security

ISE and switch connected to floorbox socket

Tibor M — Tue, 19 Aug 2025 08:53:38 GMT

Hi,

I have following situation:

ISE 3.4 Patch 3
Access switch for floor boxes sockets WS-C2960X-48LPS-L with 15.2(7)E10
2 Access switches for lab IP phones (96 phones) WS-C3560X-48P with 15.2(4)E3 - connected to public floor box socket and there is TRUNK with 2 allowed VLANs between these switches and switches cabled to floor box sockets (line above) and these switches have 1 SVI for management (as there is not enough floor box sockets to use management port)

I know this is not the best how to do it, but this lab must be public accessible and there is no other way how to connect 96 phones and their switches to core switches in server room physically securely. I also know switches are EOS, just ignore it, they are working.

The thing is that I we are security all floor box sockets with ISE. The problem I have is that IP hones switches have old IOS and does not support TLS1.2 for dot1x. So only way how to use EAP supplicant is to allow TLS1.0 on ISE. If I use MAB, then all IP phones are authenticated twice - first on their access switch in lab, second on parent access switch in server room (where all floor boxes sockets are cabled).

I do not know how to do it secure with current equipment. If keep only MAB on that floor box sockets in lab and disable dot1x EAP, or rather allow TLS1.0 on ISE and use dot1x EAP-FAST on IP phones switch and disable MAB on floor box switch. I was also looking into policies sets, that I do not know how to create condition for policy set as "Normalised Radius·RadiusFlowType == Wired802_1x && TLSVersion == TLSv1" - there is nothing like TLSVersion in possible options and do not know how to use it, even in Live Log is visible in Other Attributes.

Thanks

Re: ISE and switch connected to floorbox socket

MHM Cisco World — Tue, 19 Aug 2025 08:53:35 GMT

Sorry I dont get your request

But

SW to SW you can use MACSec

Phone to network you can use 802.1x and/or mab

MHM

Re: ISE and switch connected to floorbox socket

Tibor M — Tue, 19 Aug 2025 08:56:27 GMT

Let me clarify it. I want to know opinions how to secure Access Switch in server room, which is physically cabled to floor box sockets. So if anybody come to that LAB room and disconnect access switch (used for IP phones) from floor box sockets, so floor box socket will be stills secured by ISE and nobody unauthorized can use it.

Re: ISE and switch connected to floorbox socket

MHM Cisco World — Tue, 19 Aug 2025 09:07:27 GMT

MAB or 802.1x use only in SW direct connect to endpoint

I.e. this need to use in cat3500 series

MHM

Re: ISE and switch connected to floorbox socket

MHM Cisco World — Tue, 19 Aug 2025 09:14:35 GMT

You need Access SW run as supplicant?

MHM

Re: ISE and switch connected to floorbox socket

Marvin Rhoads — Tue, 19 Aug 2025 09:55:20 GMT

This sounds like a use case for NEAT (Network Edge Authentication Technology). Have a look at this reference to see if it addresses your requirement and concerns:

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-286005059

Re: ISE and switch connected to floorbox socket

bonniefr — Tue, 19 Aug 2025 10:13:58 GMT

It looks like the ISE and switch are connected to the floorbox sockets, please check the wiring and ensure the configuration is correct.

Re: ISE and switch connected to floorbox socket

Tibor M — Tue, 19 Aug 2025 13:03:34 GMT

hope this screenshot help to understand what I'm trying to solve. I do not know if there is other way than using MAB only multi-auth on that socket (where each phone is authenticated twice - switches in lab and then in server room due MAB and multi-auth), or rather allow TLSv1.0 on ISE and configure switches in phone lab as supplicant (they are old, no TLSv1.2 on them).

Re: ISE and switch connected to floorbox socket

MHM Cisco World — Tue, 19 Aug 2025 13:41:53 GMT

You need to authc endpoints connect to access SW ?

If access SW have UP mgmt interface can connect to ISE then access SW can authc the endpoints' and after these endpoints authc it can access network' i.e. checkpoint need close to endpoint and after this checkpoint ypu can go wherever you want.

MHM

Re: ISE and switch connected to floorbox socket

Marvin Rhoads — Tue, 19 Aug 2025 15:49:23 GMT

Did you look at the link I shared regarding NEAT setup? With that, the access switch in the server room authenticates the switch connected to the floor box socket. That switch in turn is the network access device passing requests to ISE to authenticate the IP phones (with MAB). If anything else is plugged directly into a floor box socket, it authenticates via the server room switch. No TLS 1.0 is used and the phones should only ever appear in authentication sessions of the switch they are directly plugged into.

Re: ISE and switch connected to floorbox socket

Tibor M — Tue, 19 Aug 2025 18:14:37 GMT

@Marvin Rhoads yes, looks it is what I need. I have to study it more, I'm still beginner with ISE.

Also you are all more experienced, so can anybody tell me where to look for if I want to make Policy condition based on any attribute from live log "Other attributes" section on ISE 3.4?

Re: ISE and switch connected to floorbox socket

MHM Cisco World — Tue, 19 Aug 2025 18:18:50 GMT

Sorry continue with @Marvin Rhoads

Let him help you to config ISE to authc SW connect to other SW

Goodluck

MHM