cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1186
Views
1
Helpful
6
Replies
Cisco Employee

ISE Posture on Windows machine with Hyper-V

Hello team,

I have a customer that has windows machines. When they activate KVM Hyper-V VM, it is like the network card/adapter of the machine deactivates (something like virtual switch comes in). So it is impossible to have Posture on that machine....

Do we have any kind of solution for this kind of scenarios?

Thanks!

Alex

Everyone's tags (2)
6 REPLIES 6
Cisco Employee

Re: ISE Posture on Windows machine with KVM

Assuming KVM means keyboard, video, and mouse, I do not think we are supporting such at the moment, so I would suggest you to discuss it with ISE PM team.

Highlighted
Cisco Employee

Re: ISE Posture on Windows machine with KVM

Thanks.

My customer's scenario is like this:

There are some users who use virtual machines with Hyper-V (not KVM sorry for that mistake). They cant authenticate using 802.1x because there is more than one MAC address trying to register in the same port.

is there any way we can solve that scenario?

Thanks!

Cisco Employee

Re: ISE Posture on Windows machine with KVM

As long as the network interface of each Hyper-V VM has one and only one IPv4 MAC address and the Cisco switch interface configured in multi-auth mode, then we should be able to see each VM as its own endpoint and posture accordingly. I think you might need to check with the switch platform teams and see any scale limits.

Cisco Employee

Re: ISE Posture on Windows machine with Hyper-V

We also faced the same issue few days back although kept it aside for now.

We are hosting a virtual mobile emulator in Hyper-V in some machines. The issue we faced was that even the host machine lost connectivity when these machines were moved to multi-auth environment.

Cisco Employee

Re: ISE Posture on Windows machine with Hyper-V

Thanks Utkarsh,

How is your scenario? to what switch are you connecting your host machine? are the VM's in the host machine in L2 each one with its own IP address? Are you making posture on that environment?

Cisco Employee

Re: ISE Posture on Windows machine with Hyper-V

Alex,

I believe the issue is not with Posture but with dot1x support in Hyper-V.

It is most likely that the Hyper-V is dropping EAP packets which are layer 2 frames sent to a multicast MAC address from the host machine.

This is a known issue and Microsoft seems to have acknowledged it.

I have not seen this issue for hosts behind a vSwitch though.

Check below links

https://social.technet.microsoft.com/forums/windows/en-US/341cbe70-3fa7-4991-a7e4-4f1af63df4d0/windows-8-hyperv-8021x-eapol-request-missing

https://windowsserver.uservoice.com/forums/295050-virtualization/suggestions/8619418-let-hyper-v-virtual-switch-forward-802-1x-authenti