Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2472
Views
5
Helpful
8
Replies

802.1x Device Authentiction with ISE

Go to solution
Netmart
Level 1
Level 1

‎02-06-2022 01:40 PM

Hello,

I am wondering, whether the following interface config would allow access of phone and workstation to network, meaning do they get successfully authenticated via ISE:

 

Interface Te1/12

description ISE dot1x Port

switchport access vlan 10

 switchport mode access

switchport voice vlan20

device-tracking attach-policy IPDT_MAX_3

authentication periodic

authentication timer reauthenticate server

access-session host-mode multi-domain

access-session port-control auto

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 7

dot1x mac-reauth-req 3

Spanning-tree portfast

service-policy type control subscriber POLICY_Te1/12

 

Thank you for your advice.

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-07-2022 04:37 AM

I am wondering, whether the following interface config would allow access of phone and workstation to network

-You are attempting to operate with the correct mode: access-session host-mode multi-domainSpecifies that only one client per domain (DATA or VOICE) can be authenticated at a time.  However, you will need to test because we cant see what is in the service policy attached to interface.

View solution in original post

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎02-09-2022 03:02 PM

The switch port config shown will only process 802.1X frames (EAPOL). If any attached devices do not have a supplicant, then they won't be authorized onto either DATA or VOICE Domain. If you need to process non-supplicant devices, then also add the MAB command to the interface.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Amine ZAKARIA
Spotlight
Spotlight

‎02-06-2022 08:32 PM

Hello @Netmart ,

Can you share what is inside the service policy POLICY_Te1/12 ?

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-07-2022 04:37 AM

I am wondering, whether the following interface config would allow access of phone and workstation to network

-You are attempting to operate with the correct mode: access-session host-mode multi-domainSpecifies that only one client per domain (DATA or VOICE) can be authenticated at a time.  However, you will need to test because we cant see what is in the service policy attached to interface.

0 Helpful

Go to solution
Netmart
Level 1
Level 1
In response to Mike.Cifelli

‎02-09-2022 09:38 PM

Hi Mike,

Thank you for clarification.

Only the wording is still a bit confusing to me.

"only one client per DATA or VOICE domain can be authenticated at a time.

Meaning only a PC OR  phone can run at a time on the port

or

Only one PC AND Phone can run per time at a port?

 

Regards,

Martin

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Netmart

‎02-10-2022 01:09 AM

multi-domain is one of a variety of security mechanism that limits the number of MAC addresses that will be learned on that interface. In this case, multi-domain means,

1 MAC address in the DATA domain

1 MAC address in the VOICE domain

If you were to violate that by assigning the phone to a VLAN in the DATA domain, and then also attaching a PC to the phone's data port, then the switch will err-disable the port because now you'll have 2 MAC addresses in the DATA domain. Or, more commonly, if you attach a small hub or switch to the phone, thinking you can hook a few devices up ... it won't work.

The are other options like multi-host, etc. - you can google it

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎02-09-2022 03:02 PM

The switch port config shown will only process 802.1X frames (EAPOL). If any attached devices do not have a supplicant, then they won't be authorized onto either DATA or VOICE Domain. If you need to process non-supplicant devices, then also add the MAB command to the interface.

0 Helpful

Go to solution
Netmart
Level 1
Level 1
In response to Arne Bier

‎02-09-2022 09:35 PM

 

Thank you Arne, yes, agree, the key is that they a device needs to have the supplicant installed. The alternative is MAB. However, isn't it also possible to install a temporary web-based client through posture/provisioning /remediation provided that the client is non-compliant?

 

Regards,

Netmart

 

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Netmart

‎02-10-2022 01:14 AM

If a client doesn't have a supplicant, then it will never speak EAPOL (EAP over LAN). This is a layer 2 protocol. You either have it or you don't. If you don't, then the switch will accept "normal" traffic when mab is enabled on that port. Switch sends MAC address to ISE to authorize and if successful then the port is authorized and then it's business as usual (DHCP etc.). What the client then does with a web based client etc. all runs while the port is in MAB auth'd mode.  And you can do whatever compliance checks you need/like. If the client is found to be non-compliant then you can reauth it and stick the device into another VLAN. Problem with VLAN switching in that scenario (where the PC already has an IP address via DHCP) is that you'd probably need to bounce the port to force the client to perform DHCP again.

0 Helpful

Go to solution
Netmart
Level 1
Level 1
In response to Arne Bier

‎02-10-2022 10:02 AM

Thank you for clearing this up..

The figure below actually actually illustrating your findings.

By default, 802.1x only EAP is allowed, Authentication Open all ports allowed, or if no supplicant [no EAPOL] MAB is the alternative.

 

 

 

802.1x.png

0 Helpful
Customers Also Viewed These Support Documents