03-10-2016 12:00 PM
Hi,
How can we restrict number of MAC addresses in 802.1x port authentication with multi-auth mode in a switch. Can we configure and use 802.1x Authentication and Port Security simultaneously in a switch interface in multi-auth mode and would this be recommended/supported ?
Thanks!
TK.
Solved! Go to Solution.
03-10-2016 12:09 PM
Hi TK,
Currently, 802.1X with Port-Security is not a supported configuration. As stated in other threads, it isn’t an issue from an ISE perspective but more of a matter of the switching platform supporting it.
Regards,
-Tim
03-10-2016 12:09 PM
Hi TK,
Currently, 802.1X with Port-Security is not a supported configuration. As stated in other threads, it isn’t an issue from an ISE perspective but more of a matter of the switching platform supporting it.
Regards,
-Tim
03-10-2016 12:21 PM
Thanks for the clarification. So, how do we provide security on port level in that case ? Is there a way to restrict the interface to say only 3 hosts and 4th one will create a violation condition in multi-auth mode?
03-10-2016 12:24 PM
We would need a way to correlate the number of sessions active against a particular port on a specific switch. Unfortunately, ISE doesn’t have this functionality today.
Regards,
-Tim
03-16-2016 06:04 AM
Hi,
Just want to explore all available options from switch level. Has anyone developed a usable method to limit the number of mac addresses on a port without port security?
From ISE side, would a fix will be available to limit number of sessions in a switch port (in multi-auth) in upcoming ISE versions or in the roadmap?
Thank You!
TK.
03-17-2016 05:14 AM
See https://supportforums.cisco.com/discussion/12290816/port-security-and-8021x-ise for details on similar request. host-mode = multi-mda will automatically restrict port to one voice endpoint (ex: phone) and one data endpoint (ex: PC).
Although it is possible to configure port for max MAC addresses with multi-auth, there are cases where the interaction between port security can conflict or produce unexpected results. This is why it is generally recommended not to mix 802.1X and port security. Best to test in lab first to ensure behavior is what is desired.
Example: (config-if) # switchport port-security maximum 4
If decide to test, I would also recommend setting the violation policy.
Example: (config-if)# switchport port-security violation restrict
I see this question has also been moved to an internal discussion. As noted, the question here is specific to switch security feature support, not ISE support.
/Craig
02-26-2019 12:00 PM
Is there any change on the best practice for port-security and multi-auth. This discussion dates back to 2016, however we are posing the same question today. We want to allow 1 phone and multiple computers. Does just having 802.1x authentication mitigate a MAC address flooding attack?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide