cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2601
Views
5
Helpful
6
Replies

802.1x Authentication and Port-Security simultaneously in multi-auth mode

sahaputh
Level 1
Level 1

Hi,

How can we restrict number of MAC addresses in 802.1x port authentication with multi-auth mode in a switch. Can we configure and use 802.1x Authentication and Port Security simultaneously in a switch interface in multi-auth mode and would this be recommended/supported ?

Thanks!

TK.

1 Accepted Solution

Accepted Solutions

Timothy Abbott
Cisco Employee
Cisco Employee

Hi TK,

Currently, 802.1X with Port-Security is not a supported configuration. As stated in other threads, it isn’t an issue from an ISE perspective but more of a matter of the switching platform supporting it.

Regards,

-Tim

View solution in original post

6 Replies 6

Timothy Abbott
Cisco Employee
Cisco Employee

Hi TK,

Currently, 802.1X with Port-Security is not a supported configuration. As stated in other threads, it isn’t an issue from an ISE perspective but more of a matter of the switching platform supporting it.

Regards,

-Tim

sahaputh
Level 1
Level 1

Thanks for the clarification. So, how do we provide security on port level in that case ? Is there a way to restrict the interface to say only 3 hosts and 4th one will create a violation condition in multi-auth mode?

We would need a way to correlate the number of sessions active against a particular port on a specific switch. Unfortunately, ISE doesn’t have this functionality today.

Regards,

-Tim

Hi,

Just want to explore all available options from switch level. Has anyone developed a usable method to limit the number of mac addresses on a port without port security?

From ISE side, would a fix will be available to limit number of sessions in a switch port (in multi-auth) in upcoming ISE versions or in the roadmap?

Thank You!

TK.

See https://supportforums.cisco.com/discussion/12290816/port-security-and-8021x-ise for details on similar request.  host-mode = multi-mda will automatically restrict port to one voice endpoint (ex: phone) and one data endpoint (ex: PC).

Although it is possible to configure port for max MAC addresses with multi-auth, there are cases where the interaction between port security can conflict or produce unexpected results.  This is why it is generally recommended not to mix 802.1X and port security.  Best to test in lab first to ensure behavior is what is desired.

Example: (config-if) # switchport port-security maximum 4

If decide to test, I would also recommend setting the violation policy. 

Example: (config-if)# switchport port-security violation restrict

I see this question has also been moved to an internal discussion.  As noted, the question here is specific to switch security feature support, not ISE support.

/Craig

Is there any change on the best practice for port-security and multi-auth.  This discussion dates back to 2016, however we are posing the same question today. We want to allow 1 phone and multiple computers.  Does just having 802.1x authentication mitigate a MAC address flooding attack?