Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1020
Views
3
Helpful
3
Replies

802.1x recommendations

Go to solution
Val3y
Level 1
Level 1

‎08-21-2025 11:15 AM

We are wanting to start using 802.1X on our network. I have no experience with it at all. I was wondering if anyone could provide recommendations on implementation strategies, pitfalls to watch out for, and what options are available.

Some of the areas I’m specifically interested in:

-Best practices for implementation 

-Things that may go unthought of 

-Different implementation options - We are open to Cisco ISE, but also want to know about other options like Microsoft NPS or even open-source solutions (e.g. FreeRADIUS). I’d love to hear what others have had success with

-Integration considerations - Are there benefits to tying 802.1X into VLAN assignment, guest access portals, or posture assessments?

Our longer-term plan is to move to a Layer 3 ring topology, so we want to make sure endpoint authentication and access control are in place before we do that. Any lessons learned, gotchas, or design recommendations would be very helpful.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-21-2025 11:51 AM

@Val3y use certificates (EAP-TLS) for authenticate as opposed to username/password (MSCHAPv2) as Windows Credentials Guard on recent versions of Windows blocks MSCHAPv2, for being insecure. Use EAP Chaining (TEAP) to combine user and machine authenticates to be the most secure authentication.

Use 802.1X where you can and MAB if you must, if you use MAB combine this with profiling.

I don't see the need for Dynamic VLAN assignment, as that adds overhead managing additional VLANs and DHCP scopes. Use TrustSec or DACL to enforce different policies to restrict access instead. 

Posture assessment should be used to grant access based on the health of the computer.

Refer to the Cisco ISE Wired Prescriptive Guide for more information on switch configuration - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Refer to the ISE scale and performance guide to build your ISE cluster - https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

 

View solution in original post

3 Replies 3

Go to solution
M02@rt37
VIP
VIP

‎08-21-2025 11:50 AM

Hello @Val3y 

First, use un pilot VLAN and a limited set of devices, to validate authentication methods, certificates, and policy. Use EAP-TLS for endpoints whenever possible because it is the most secure... relying on certificates instead of just passwords !!!

Think to keep a falback mechanism, such as MAC authentication bypass (MAB), for devices that cannot support 802.1x like printers, IP phones.

Cisco ISE provides the most "feature-rich" platform, with support for posture assesment, guest access, and dynamic vlan assignment. Microsoft NPS is simpler and works well if most authentication is tied to AD but lacks the advanced features of ISE.

Open source solution like FreeRADIUS are cost-effective and highly customizable, suitable for labs or small deployment.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
Rob Ingram
VIP
VIP

‎08-21-2025 11:51 AM

@Val3y use certificates (EAP-TLS) for authenticate as opposed to username/password (MSCHAPv2) as Windows Credentials Guard on recent versions of Windows blocks MSCHAPv2, for being insecure. Use EAP Chaining (TEAP) to combine user and machine authenticates to be the most secure authentication.

Use 802.1X where you can and MAB if you must, if you use MAB combine this with profiling.

I don't see the need for Dynamic VLAN assignment, as that adds overhead managing additional VLANs and DHCP scopes. Use TrustSec or DACL to enforce different policies to restrict access instead. 

Posture assessment should be used to grant access based on the health of the computer.

Refer to the Cisco ISE Wired Prescriptive Guide for more information on switch configuration - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Refer to the ISE scale and performance guide to build your ISE cluster - https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

 

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎08-22-2025 12:10 AM - edited ‎09-02-2025 03:59 PM

@Val3y wrote:
pitfalls to watch out for

The switches. 

We implemented 802.1x in 2014.  Initially we used FreeRADIUS and when ISE became mature (version 2.0), we migrated to ISE.  During that time, our switches ran on classic IOS.  The switches were 2960S, 2960X and 3750X.  

One of the biggest "strain" in 802.1x is clients that have the wrong settings or wrong passwords that hammer switches with continuous authentication requests.  Classic IOS switches were able to handle the strain and the load like an Olympic champion.  

Unfortunately, the good run had to end when we upgraded to IOS-XE.  We started with 3850 and then 9300.  In both cases, we can successfully hammer IOS-XE switches down to their knees just with continuous failed authentications which can result to a memory leak, example CSCwr04009.  Either the switches crash or the ports will stop forwarding traffic or delivering PoE.  

IOS-XE access switches do not stand a snowball's-chance-in-hell.  There is no such thing as an IOS-XE access switch with 802.1x, flapping interface(s), "stable" and an uptime of >1 year.  

Always proactively reboot IOS-XE switches every 8 to 12 months.  

0 Helpful
Customers Also Viewed These Support Documents