We would need a way to correlate the number of sessions active against a particular port on a specific switch. Unfortunately, ISE doesn’t have this functionality today.

Regards,

-Tim

Hi,

Just want to explore all available options from switch level. Has anyone developed a usable method to limit the number of mac addresses on a port without port security?

From ISE side, would a fix will be available to limit number of sessions in a switch port (in multi-auth) in upcoming ISE versions or in the roadmap?

Thank You!

TK.

See https://supportforums.cisco.com/discussion/12290816/port-security-and-8021x-ise for details on similar request.  host-mode = multi-mda will automatically restrict port to one voice endpoint (ex: phone) and one data endpoint (ex: PC).

Although it is possible to configure port for max MAC addresses with multi-auth, there are cases where the interaction between port security can conflict or produce unexpected results.  This is why it is generally recommended not to mix 802.1X and port security.  Best to test in lab first to ensure behavior is what is desired.

Example: (config-if) # switchport port-security maximum 4

If decide to test, I would also recommend setting the violation policy. 

Example: (config-if)# switchport port-security violation restrict

I see this question has also been moved to an internal discussion.  As noted, the question here is specific to switch security feature support, not ISE support.

/Craig

Is there any change on the best practice for port-security and multi-auth.  This discussion dates back to 2016, however we are posing the same question today. We want to allow 1 phone and multiple computers.  Does just having 802.1x authentication mitigate a MAC address flooding attack?