Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1718
Views
0
Helpful
4
Replies

Limiting number of MACs with MAB and Multi-Auth (ISE 2.4)

Go to solution
Ditter
Level 3
Level 3

‎02-26-2019 05:40 AM - edited ‎03-08-2019 07:14 PM

Hi to all,

 

i have done some searching about this and i only found the following thread:

 

https://community.cisco.com/t5/identity-services-engine-ise/802-1x-authentication-and-port-security-simultaneously-in-multi/td-p/3482843      but i could not reach to a result by reading this thread.

 

In addition, as mentioned by Cisco,   port-security and 802.1x/MAB authentications are not compatible to each other , so are we in a dead end if we want to use MAB and limit the number of data MAC addresses? 

 

Thanks,

 

Ditter.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-26-2019 03:40 PM

I'm not sure the best way to go about this if you need more than a single phone and endpoint. I'll echo that dot1x and port security is a pain, it's serious ugly to troubleshoot. I've seen some really weird behavior when port security config is left on dot1x ports.

That said, Cisco has documentation around using 802.1x with port security, it's not unsupported, they actually describe the expected behavior when both are used in tandem in the past catalyst configuration guides I have read.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ognyan.totev
Level 5
Level 5

‎02-26-2019 06:14 AM

Hi , with authentication host-mode multiauth you can't restrict the mac address ,the switch will try to authenticate every mac address that switch see on port ,i don't know what is the limit of mac .

If you chose multidomain it will allow you 1 mac address by data Vlan and 1 for voice

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-26-2019 03:40 PM

I'm not sure the best way to go about this if you need more than a single phone and endpoint. I'll echo that dot1x and port security is a pain, it's serious ugly to troubleshoot. I've seen some really weird behavior when port security config is left on dot1x ports.

That said, Cisco has documentation around using 802.1x with port security, it's not unsupported, they actually describe the expected behavior when both are used in tandem in the past catalyst configuration guides I have read.
0 Helpful

Go to solution
Ditter
Level 3
Level 3
In response to Damien Miller

‎02-27-2019 04:11 AM

Thanks Damien, i am a little bit confused about MAB in combination with port security.

 

Probably it depends on the platform of catalyst swithes and/or the IOS?

 

My current platform is Cat4500 (SUP6L) with 152-2.E8.

 

Ditter.

 

 

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to Ditter

‎02-27-2019 04:59 PM

It could platform specific as you mentioned. Please move this email thread to the switching community.

 

-Krishnan

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents