This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have a question since I am deploying 802.1x port based security feature on CAT 29600 and following is the existing config with port-security enabled on the interface. Can I configure multi-auth for host mode on the interface ? As I have doubt it may not work as expected due to MAC aging and port-security violence.
"In general, Cisco does not recommend enabling port security when IEEE 802.1x is enabled. Since IEEE 802.1x enforces a single MAC address per port (or per VLAN when MDA is configured for IP telephony), port security is redundant and in some cases may interfere with expected IEEE 802.1x operations."
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 6
switchport port-security maximum 4 vlan access
switchport port-security maximum 2 vlan voice
switchport port-security aging time 1
switchport port-security aging type inactivity
srr-queue bandwidth share 1 30 35 5
mls qos trust dscp
auto qos trust dscp
What is the best way to configure authentication host-mode for the port which has security enabled ?
Solved! Go to Solution.
As Damien said, don't do this. Having tried this at a customer (against my will) and seeing the odd issues, I wouldn't recommend doing this. We ended up ripping all the port security off.
As Damien and Paul says, this is not recommended. from our Prescriptive deployment guide- ise-secure-wired-access-prescriptive-deployment-guide
Note: Even though the port-security interface command enforces MAC address limit, it is not compatible with the authentication/dot1x configurations on the switch port. In general, we recommend that you do not enable port security when IEEE 802.1x is enabled.