02-19-2020 08:27 AM
Hi Experts,
I am testing one use case of PEAP-only, my setup is like below:
VM machine--->trunk port--->Switch---->ISE
Although, i know the port should be access for EAPOL traffic to reach to radius server through switch.
but here on trunk port it taking all the authentication commands, but connectivity is breaking between switch and VM after pushing authentication commands. I am able to successfully test the AD user from switch by command: test aaa group radius <username> <password> new-code. it means if i am sending radius packet from switch with AD username, then its successfully authenticated and getting the policy set (Authorization) as well, its showing in live logs as well on ISE.
So my question is, if the port between switch and VM machine is trunk, will this scenario work or not. or it should be access port only. if its true then please give the reference link (web link), so i can prove it further that it will not work on trunk port.
if there is chance that it will work, then please let me know what i am missing.
Commands on switch port towards VM machine:
interface GigabitEthernet2/0/24
description # Connected to VM# ESXi 250.18
switchport mode trunk
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
end
status on switch:
switch #sh authentication sessions int gi2/0/24
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi2/0/24 000c.29da.bda6 dot1x UNKNOWN Unauth C3FBD30A000005775B7DAB1A
Gi2/0/24 0050.565d.d52a dot1x UNKNOWN Unauth C3FBD30A000005785B7DBE52
Thanks
Garry
Solved! Go to Solution.
02-19-2020 02:26 PM
Support for 802.1x on Trunk Ports is dependent on the hardware/software platform, so you might have to check the Feature Navigator for your platform. See the following post:
Even if supported, there are other limitations (dynamic VLAN assignment, etc) when using 802.1x on a Trunk Port, so using an access port is recommended. If using the IBNS 2.0 framework on the switch, I believe it will prevent you from configuring 802.1x on a Trunk Port unless it is for the NEAT use case.
02-19-2020 12:27 PM
02-19-2020 08:36 PM
Thanks Mike for your suggestion:
configuring multihost, multi-domain is the another story like how many ends points and what type of (voice and data) endpoints we want to use. Moreover, configuring #dot1x pae authenticator is the case of NEAT topology, where my switch will act as a supplicant and will support video endpoints etc.
my question is simple: can we use dot1x on trunk port or not. because there is limitation for me to configure the access port for VM side, in this case Vm will not work and i have to make it trunk only.
Thanks
Garry
02-19-2020 02:26 PM
Support for 802.1x on Trunk Ports is dependent on the hardware/software platform, so you might have to check the Feature Navigator for your platform. See the following post:
Even if supported, there are other limitations (dynamic VLAN assignment, etc) when using 802.1x on a Trunk Port, so using an access port is recommended. If using the IBNS 2.0 framework on the switch, I believe it will prevent you from configuring 802.1x on a Trunk Port unless it is for the NEAT use case.
02-19-2020 09:11 PM
Thanks Greg,
My hardware is C9300-24T, so it means dot1x will not work on trunk port for me as per link you have shared.
The IEEE 802.1X Support for Trunk Ports feature is used to configure Ethernet interfaces as trunk ports.
In Cisco IOS XE Release 3.2SE, this feature was supported on the following platforms:
Catalyst 3850 Series Switches
Cisco 5760 Wireless LAN Controller
In Cisco IOS XE Release 3.3SE, this feature was supported on the following platforms:
Catalyst 3650 Series Switches
Cisco Catalyst 3850 Series Switches.
Thanks
Garry
02-21-2020 03:52 PM - edited 02-21-2020 03:54 PM
Greg is correct the feature "802.1X on Trunk Ports" is to support NEAT and flex-connect APs. Cisco Live session BRKCRS-2600 has some info. If you have further questions on this feature, please post it to the Switching community.
The same is applicable to catalyst 9K switches.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide