cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1965
Views
30
Helpful
8
Replies

802.1x different authentication servers for voice and data

Hello,

 

 Please forgive me if someone already asked the question. I looked through the discussions and could not find the answer. Is it possible to configure 802.1x to authenticate to different Authentication Servers, one for data and the other for for voice (i.e. An MS NPS server for data and Cisco ISE for voice.)? Thank you for your help and your time.

 

Al

1 Accepted Solution

Accepted Solutions

If you're authenticating the phones via EAP-TLS and using the LSC, you would be able to match on attributes in the certificate (Issuer Name, etc) to separate out that traffic into your top Policy Set and authenticate that directly via ISE. You could then use a matching condition in your next Policy Set that matches on general Wired traffic and proxy all of that to your external NPS RADIUS server.

View solution in original post

8 Replies 8

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @albert.r.foy2.mil,

In general - yes. You can use different authentication sources, as long as you can specify some differentiating conditions for that.

Policies are built base on logical If/Then statements, so if you can preciselly describe condition, then you can use different identity sources. Quite simplified, an example could be:

If (authentication == MAB) Then (Use Internal Endpoints)

Else If (authentication == dot1x) Then (Use AD)

Else Drop

Of course, this is really simplified, and you'll have to think of unique condition that would allow you to achieve what you would like to.

BR,

Milos

Milos,

 

 Thank you for the reply. I'll look into tis as an option. Thank you again.

 

Al

Hi @albert.r.foy2.mil,

Just to add a bi more context into my proposal - I also had in mind what @Greg Gibbs wrote (but I haven't stressed out explicitly), that you'll have to direct RADIUS traffic from switch back to ISE, and then on ISE to split policies, per specific conditions.

BR,

Milos

Milos,

 

Thank you for the reply. We have MAB objects for the phones using the MAC address, I’m going to attempt to differentiate using the OUI to authenticate the phones with ISE and send the data authentication to the NPS. Thank you again for the help.

 

Al

Greg Gibbs
Cisco Employee
Cisco Employee

A switch does not have the logic to point to different RADIUS servers for the different type of traffic. The RADIUS server group configuration only allows configuration of multiple RADIUS servers for high-availability, and will only use the second server in the sequence if connectivity to the first server fails.

For what you are trying to do, you would need to send all RADIUS traffic from the switch to one RADIUS server (NPS or ISE) and configure rules on that server to proxy specific traffic to the other RADIUS server.

This can be done in ISE by configuring and external RADIUS server and using an External RADIUS Server Sequence in your Policy Set. See an example in Configure External RADIUS Servers on ISE. This is typically used for specific use cases, however, and may be difficult to accomplish your more broad separation between all data traffic and all voice traffic due to the limited attributes ISE receives from the initial RADIUS requests that can be use in Policy Set conditions (you can't rely on Profiling at this stage, for example).

This would also obviously complicate troubleshooting and daily operations as your support team would need to understand the flows and where to look for the different use cases.

Greg,

 

 Thank you for the reply. This makes sense as I could not find a command to differentiate between the different authentication server for voice or data. I think I might have to set the policy in ISE based on the OUI of the IP Phone’s MAC or LSC? I do not know if that will work. Thank you for the help.

 

Al

If you're authenticating the phones via EAP-TLS and using the LSC, you would be able to match on attributes in the certificate (Issuer Name, etc) to separate out that traffic into your top Policy Set and authenticate that directly via ISE. You could then use a matching condition in your next Policy Set that matches on general Wired traffic and proxy all of that to your external NPS RADIUS server.

Greg,

 

Thank you for the reply. This sounds like a great solution! Thank you again for your help and your time.

 

Al

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: