07-11-2023 10:01 AM
Greetings,
I'm trying to figure out how best to implement 802.1x port-based authentication on a network that supports multiple tenants. We control the distribution and access switches with clients connecting to multiple domains on different networks. Because this is a validation and testing environment, everyone is going to eventually require their own RADIUS authentication server (probably ISE).
In other words, client A on switch A will need to authenticate with the RADIUS server belonging to tenant A, while client B (also on switch A) would need to authenticate with a different RADIUS server belonging to tenant B, and so on. So far the closest I've come to a solution is this:
https://community.cisco.com/t5/network-access-control/802-1x-multi-server-radius/td-p/4488535
But that's just for use as an HA failover and not a valid solution for our environment. Any help would be appreciated, thanks.
Solved! Go to Solution.
07-11-2023 10:06 AM
ISE (and the switch config) is not designed for multi-tenancy
07-11-2023 10:06 AM
ISE (and the switch config) is not designed for multi-tenancy
07-11-2023 10:46 AM
you have one PSN node or two ?
07-11-2023 12:19 PM
Good question. If it was up to me we'd just operate a single node, but I'm pretty sure each tenant is gonna want to stand up their own policy server. I spoke to a Cisco engineer who recommended parsing all the clients into separate VRF's, but that creates a whole new set of problems because we'd have to create an interface vlan for every svi being used on an access port on that switch, in addition to a routed admin vlan per vrf to direct the switch to their RADIUS server.
07-11-2023 12:25 PM - edited 07-11-2023 12:26 PM
Yeah, there are limits on how many AAA servers you can configure as well. What is the exact use-case here? Why so many clients on a single switch? Why the need for full AAA separation?
07-11-2023 12:30 PM
SVI x for port x-x10 in VRF x
use radius server vrf aware PSN1
use source interface SVI x
SVI y for port y-y10 in VRF y
use radius server vrf aware PSN2
use source interface SVI y
that can work I think, each SVI send to specific radius (PSN) server.
hope so
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide