cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2116
Views
3
Helpful
6
Replies

ISE policy for bridged Virtual machines?

rcullum
Level 1
Level 1

Hi

Is there a way I can write a policy condition so that I can allow bridged virtual machines onto my network using MAB, only if the same switchport has already seen the physical host do a dot1x authentication and is still attached? switchport is in multi-auth mode but I don't want to just allow any old worktsation on using MAB. I also don't want to just rely on checking for vmware mac oui.

1 Accepted Solution

Accepted Solutions

Hi Thomas

I guess I'm looking for accountability so I only let authorized developers run VMs. The host OS will be part of the domain so I can do dot1x machine auth for that but it is the guest VMs I wanted to authorize without just authorizing any machine that can present a VM mac address. So based on your advice above, looks like Webauth is the way forward with this. Thanks.

View solution in original post

6 Replies 6

Craig Hyps
Level 10
Level 10

Multi-Auth can require each host/guest to be individually authenticated and in bridged mode they will appear to be two separate hosts, so whatever policy applies to the guest VM as a standard host can be applied.  Multi-host mode would allow any other hosts to connect once first host authorized -- using same policy as first. 

I understand all that. But VM hosts on a laptop are commonly run up as test environments. They are not always joined to a domain so getting the dot1x authentication of the vm machine is not really an answer. Mac addresses are dynamically assigned by vm software, so overhead of administering to only allow certain MAC addresses onto the network via MAB would be a nightmare plus it doesn't prevent mac-spoofing. The only way I can see of having some sort of control is if I know the physical machine hosting the the virtual machines has already been dot1x authenticated/authorized onto the network on the same switchport.

With IBNS 2.0 (session-aware networking) capabilities on current line of switches, it could be possible to change the port auth mode from multi-auth to single host upon authorization of host VM via interface/service templates, but realize that opens door wide open to any guest VM.

thomas
Cisco Employee
Cisco Employee

> can write a policy condition so that I can allow bridged virtual machines onto my network using MAB

Absolutely, yes!

> if the same switchport has already seen the physical host do a dot1x authentication and is still attached

No, ISE does not track physical vs VM instances per switchport.

> don't want to just allow any old worktsation on using MAB

Please tell us exactly what you want. It is unclear what your real security risk/concern/issue is here. Do you want to allow VMs or not? Do you just want accountability by a developer running a VM instance on the network? Are you concerned with how much network access you give to a VM? if so, what destination/ports/protocols?

You need to determine what your minimum allowed access is for any endpoint and allow that with an ACL or SGACL. Typically with an open-mode deployment this is DNS, DHCP, NTP, maybe PXE and URL redirect HTTP to ISE for WebAuth. Everything else is dropped. See How To: Universal IOS Switch Config for ISE for such a config.

You don't need to do 802.1X or join AD with every Windows instance. You could then have your employees running VMware do WebAuth for their Test VMs to open up access for their bridged VMware MAC.

Hi Thomas

I guess I'm looking for accountability so I only let authorized developers run VMs. The host OS will be part of the domain so I can do dot1x machine auth for that but it is the guest VMs I wanted to authorize without just authorizing any machine that can present a VM mac address. So based on your advice above, looks like Webauth is the way forward with this. Thanks.

Glad that will work for you!

Just so you know, some alternatives for identifying users with a MAC address without doing 802.1X would be:

1) Device Registration where the developers need to register their VM MAC addresses in the ISE MyDevices portal

2) Easy Connect where you would need to open up the default [SG]ACL to let the VM reach the AD domain controller(s) and the when the user logs into the VM (CTRL+ALT+DEL), ISE could stitch the MAB session with the AD login based on the IP address. Note that this would require your users to join their VMs to your Windows domain.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: