01-28-2020 04:05 AM
Hi Experts,
I am setting up my own ISE lab and would like to authenticate and run posture on Windows endpoints that I would install on VMware ESX server.
I would like to know the how to setup this infra, since, there VMware ESX uses a virtual switch.
Could you point me to the right literature to accomplish this?
Solved! Go to Solution.
01-28-2020 12:50 PM
There is no Cisco documentation that goes into depth in configuring the VMware infrastructure and there is nothing out of the ordinary required. On the ESXi side, you would just need to configure an untagged port group on a virtual switch (either Standard or Distributed will work) and that vSwitch would have an uplink connected to an access port on your upstream physical switch. Your VMs would use that untagged port group and the access port (host-mode multi-auth) on the physical switch would be configured as per the ISE Secure Wired Access Prescriptive Deployment Guide
You might also have a look at some of the intro-level videos on Lab Minutes
Cheers,
Greg
01-28-2020 12:50 PM
There is no Cisco documentation that goes into depth in configuring the VMware infrastructure and there is nothing out of the ordinary required. On the ESXi side, you would just need to configure an untagged port group on a virtual switch (either Standard or Distributed will work) and that vSwitch would have an uplink connected to an access port on your upstream physical switch. Your VMs would use that untagged port group and the access port (host-mode multi-auth) on the physical switch would be configured as per the ISE Secure Wired Access Prescriptive Deployment Guide
You might also have a look at some of the intro-level videos on Lab Minutes
Cheers,
Greg
01-31-2020 09:48 AM
In addition to what's been said, you may need to configure the switch port as multi-host in order to authenticate a single 802.1x supplicant on an access port which contains multiple MAC addresses.
01-31-2020 04:33 PM
Multi-host mode is only required if you want to authenticate the first MAC address seen by the switchport and just permit any additional MAC addresses after that. It's not required or recommended unless you have a specific use case for it.
Multi-auth mode works fine in an ESXi environment and the switchport will authenticate all unique MAC addresses for the VMs connected to the vSwitch individually.
02-02-2020 10:20 PM - edited 02-02-2020 10:21 PM
So here is my understanding, the dot1x authentication would only be required for the host machines that I have added in this untagged port group?
As there is going to be dot1x configuration on the physical port as well, would this not affect the other host machines on this same ESXi?
02-02-2020 11:17 PM
Ideally, it would be best to use an untagged port group on a separate vSwitch that uses a separate physical adapter as an uplink to your physical switch. Any guest VM that uses that port group would be authenticated by the NAC (MAB, dot1x) config on the physical switch (when host mode multi-auth is used).
If you tried to use a physical adapter on a vSwitch with multiple port groups, all VMs on those port groups would be impacted by the NAC config on the upstream physical switch.
02-03-2020 09:44 PM
Understood, now need to check if I could have that setup up and running on our only test ESXi server.
Thanks for all the inputs!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide