09-13-2021 03:39 AM
Hello,
Please forgive me if someone already asked the question. I looked through the discussions and could not find the answer. Is it possible to configure 802.1x to authenticate to different Authentication Servers, one for data and the other for for voice (i.e. An MS NPS server for data and Cisco ISE for voice.)? Thank you for your help and your time.
Al
Solved! Go to Solution.
09-14-2021 06:11 PM
If you're authenticating the phones via EAP-TLS and using the LSC, you would be able to match on attributes in the certificate (Issuer Name, etc) to separate out that traffic into your top Policy Set and authenticate that directly via ISE. You could then use a matching condition in your next Policy Set that matches on general Wired traffic and proxy all of that to your external NPS RADIUS server.
09-13-2021 05:49 AM
In general - yes. You can use different authentication sources, as long as you can specify some differentiating conditions for that.
Policies are built base on logical If/Then statements, so if you can preciselly describe condition, then you can use different identity sources. Quite simplified, an example could be:
If (authentication == MAB) Then (Use Internal Endpoints)
Else If (authentication == dot1x) Then (Use AD)
Else Drop
Of course, this is really simplified, and you'll have to think of unique condition that would allow you to achieve what you would like to.
BR,
Milos
09-14-2021 12:58 AM
Milos,
Thank you for the reply. I'll look into tis as an option. Thank you again.
Al
09-14-2021 01:12 AM
Just to add a bi more context into my proposal - I also had in mind what @Greg Gibbs wrote (but I haven't stressed out explicitly), that you'll have to direct RADIUS traffic from switch back to ISE, and then on ISE to split policies, per specific conditions.
BR,
Milos
09-14-2021 01:38 AM
Milos,
Thank you for the reply. We have MAB objects for the phones using the MAC address, I’m going to attempt to differentiate using the OUI to authenticate the phones with ISE and send the data authentication to the NPS. Thank you again for the help.
Al
09-13-2021 04:01 PM
A switch does not have the logic to point to different RADIUS servers for the different type of traffic. The RADIUS server group configuration only allows configuration of multiple RADIUS servers for high-availability, and will only use the second server in the sequence if connectivity to the first server fails.
For what you are trying to do, you would need to send all RADIUS traffic from the switch to one RADIUS server (NPS or ISE) and configure rules on that server to proxy specific traffic to the other RADIUS server.
This can be done in ISE by configuring and external RADIUS server and using an External RADIUS Server Sequence in your Policy Set. See an example in Configure External RADIUS Servers on ISE. This is typically used for specific use cases, however, and may be difficult to accomplish your more broad separation between all data traffic and all voice traffic due to the limited attributes ISE receives from the initial RADIUS requests that can be use in Policy Set conditions (you can't rely on Profiling at this stage, for example).
This would also obviously complicate troubleshooting and daily operations as your support team would need to understand the flows and where to look for the different use cases.
09-14-2021 01:16 AM
Greg,
Thank you for the reply. This makes sense as I could not find a command to differentiate between the different authentication server for voice or data. I think I might have to set the policy in ISE based on the OUI of the IP Phone’s MAC or LSC? I do not know if that will work. Thank you for the help.
Al
09-14-2021 06:11 PM
If you're authenticating the phones via EAP-TLS and using the LSC, you would be able to match on attributes in the certificate (Issuer Name, etc) to separate out that traffic into your top Policy Set and authenticate that directly via ISE. You could then use a matching condition in your next Policy Set that matches on general Wired traffic and proxy all of that to your external NPS RADIUS server.
09-15-2021 01:01 AM
Greg,
Thank you for the reply. This sounds like a great solution! Thank you again for your help and your time.
Al
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: