02-06-2022 01:40 PM
Hello,
I am wondering, whether the following interface config would allow access of phone and workstation to network, meaning do they get successfully authenticated via ISE:
Interface Te1/12
description ISE dot1x Port
switchport access vlan 10
switchport mode access
switchport voice vlan20
device-tracking attach-policy IPDT_MAX_3
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session port-control auto
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x mac-reauth-req 3
Spanning-tree portfast
service-policy type control subscriber POLICY_Te1/12
Thank you for your advice.
Solved! Go to Solution.
02-07-2022 04:37 AM
I am wondering, whether the following interface config would allow access of phone and workstation to network
-You are attempting to operate with the correct mode: access-session host-mode multi-domain = Specifies that only one client per domain (DATA or VOICE) can be authenticated at a time. However, you will need to test because we cant see what is in the service policy attached to interface.
02-09-2022 03:02 PM
The switch port config shown will only process 802.1X frames (EAPOL). If any attached devices do not have a supplicant, then they won't be authorized onto either DATA or VOICE Domain. If you need to process non-supplicant devices, then also add the MAB command to the interface.
02-06-2022 08:32 PM
Hello @Netmart ,
Can you share what is inside the service policy POLICY_Te1/12 ?
02-07-2022 04:37 AM
I am wondering, whether the following interface config would allow access of phone and workstation to network
-You are attempting to operate with the correct mode: access-session host-mode multi-domain = Specifies that only one client per domain (DATA or VOICE) can be authenticated at a time. However, you will need to test because we cant see what is in the service policy attached to interface.
02-09-2022 09:38 PM
Hi Mike,
Thank you for clarification.
Only the wording is still a bit confusing to me.
"only one client per DATA or VOICE domain can be authenticated at a time.
Meaning only a PC OR phone can run at a time on the port
or
Only one PC AND Phone can run per time at a port?
Regards,
Martin
02-10-2022 01:09 AM
multi-domain is one of a variety of security mechanism that limits the number of MAC addresses that will be learned on that interface. In this case, multi-domain means,
1 MAC address in the DATA domain
1 MAC address in the VOICE domain
If you were to violate that by assigning the phone to a VLAN in the DATA domain, and then also attaching a PC to the phone's data port, then the switch will err-disable the port because now you'll have 2 MAC addresses in the DATA domain. Or, more commonly, if you attach a small hub or switch to the phone, thinking you can hook a few devices up ... it won't work.
The are other options like multi-host, etc. - you can google it
02-09-2022 03:02 PM
The switch port config shown will only process 802.1X frames (EAPOL). If any attached devices do not have a supplicant, then they won't be authorized onto either DATA or VOICE Domain. If you need to process non-supplicant devices, then also add the MAB command to the interface.
02-09-2022 09:35 PM
Thank you Arne, yes, agree, the key is that they a device needs to have the supplicant installed. The alternative is MAB. However, isn't it also possible to install a temporary web-based client through posture/provisioning /remediation provided that the client is non-compliant?
Regards,
Netmart
02-10-2022 01:14 AM
If a client doesn't have a supplicant, then it will never speak EAPOL (EAP over LAN). This is a layer 2 protocol. You either have it or you don't. If you don't, then the switch will accept "normal" traffic when mab is enabled on that port. Switch sends MAC address to ISE to authorize and if successful then the port is authorized and then it's business as usual (DHCP etc.). What the client then does with a web based client etc. all runs while the port is in MAB auth'd mode. And you can do whatever compliance checks you need/like. If the client is found to be non-compliant then you can reauth it and stick the device into another VLAN. Problem with VLAN switching in that scenario (where the PC already has an IP address via DHCP) is that you'd probably need to bounce the port to force the client to perform DHCP again.
02-10-2022 10:02 AM
Thank you for clearing this up..
The figure below actually actually illustrating your findings.
By default, 802.1x only EAP is allowed, Authentication Open all ports allowed, or if no supplicant [no EAPOL] MAB is the alternative.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide