Solved: Authenticating a machine running on VMware ESX

dgaikwad · ‎01-28-2020

Hi Experts,
I am setting up my own ISE lab and would like to authenticate and run posture on Windows endpoints that I would install on VMware ESX server.
I would like to know the how to setup this infra, since, there VMware ESX uses a virtual switch.

Could you point me to the right literature to accomplish this?

Greg Gibbs · ‎01-28-2020

There is no Cisco documentation that goes into depth in configuring the VMware infrastructure and there is nothing out of the ordinary required. On the ESXi side, you would just need to configure an untagged port group on a virtual switch (either Standard or Distributed will work) and that vSwitch would have an uplink connected to an access port on your upstream physical switch. Your VMs would use that untagged port group and the access port (host-mode multi-auth) on the physical switch would be configured as per the ISE Secure Wired Access Prescriptive Deployment Guide

You might also have a look at some of the intro-level videos on Lab Minutes

Cheers,

Greg

View solution in original post

Greg Gibbs · ‎01-28-2020

There is no Cisco documentation that goes into depth in configuring the VMware infrastructure and there is nothing out of the ordinary required. On the ESXi side, you would just need to configure an untagged port group on a virtual switch (either Standard or Distributed will work) and that vSwitch would have an uplink connected to an access port on your upstream physical switch. Your VMs would use that untagged port group and the access port (host-mode multi-auth) on the physical switch would be configured as per the ISE Secure Wired Access Prescriptive Deployment Guide

You might also have a look at some of the intro-level videos on Lab Minutes

Cheers,

Greg

Nadav · ‎01-31-2020

In addition to what's been said, you may need to configure the switch port as multi-host in order to authenticate a single 802.1x supplicant on an access port which contains multiple MAC addresses.

Greg Gibbs · ‎01-31-2020

Multi-host mode is only required if you want to authenticate the first MAC address seen by the switchport and just permit any additional MAC addresses after that. It's not required or recommended unless you have a specific use case for it.

Multi-auth mode works fine in an ESXi environment and the switchport will authenticate all unique MAC addresses for the VMs connected to the vSwitch individually.

dgaikwad · ‎02-02-2020

So here is my understanding, the dot1x authentication would only be required for the host machines that I have added in this untagged port group?
As there is going to be dot1x configuration on the physical port as well, would this not affect the other host machines on this same ESXi?

Greg Gibbs · ‎02-02-2020

Ideally, it would be best to use an untagged port group on a separate vSwitch that uses a separate physical adapter as an uplink to your physical switch. Any guest VM that uses that port group would be authenticated by the NAC (MAB, dot1x) config on the physical switch (when host mode multi-auth is used).

If you tried to use a physical adapter on a vSwitch with multiple port groups, all VMs on those port groups would be impacted by the NAC config on the upstream physical switch.

dgaikwad · ‎02-03-2020

Understood, now need to check if I could have that setup up and running on our only test ESXi server.
Thanks for all the inputs!