Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
306
Views
1
Helpful
5
Replies

Authenticating downstream switch on a NAC-enabled port

Doorahlek
Level 1
Level 1

‎04-22-2025 06:34 AM

Hello Everyone,

Wanted to check with you if you've encountered such scenario where you had NAC enabled (multi-auth mode) on the Catalyst 9300 switch and on some ports there were some downstream switches connected that do not support dot1x/mab. I wanted to authenticate the connected switch's MAC and push a dynamic template on that port that makes it trunk with 1 allowed vlan and root guard, but im worried that there might be some cases e.g : 

- session timeout (reauthentication timer) 

- link up/down 

Downstream's switch directly connected devices like printers, laptops packet might arrive as first packet on the Catalyst 9300 port and it will then authenticate, but with a dynamic VLAN assignment or access-accept but not with the dynamic template. Even worse if someone connects a device to the downstream switch that is not included in the Endpoint Identity Group for MAB and the whole port will get unathorized. 

Additionally if the downstream switch will be unmanaged , then I guess I'll need to push a template with switchport mode access and not trunk as the unmanaged switches do not support trunking i think.

 

Have you encountered such scenario and what helped you the most in such case?

Thank you for any responses.

 

0 Helpful
5 Replies 5

ahollifield
VIP
VIP

‎04-22-2025 06:39 AM

Managed or unmanaged switches? The best solution is to eliminate the daisy-chain switches.

Doorahlek
Level 1
Level 1
In response to ahollifield

‎04-22-2025 06:46 AM

A managed third party switch and a scenario with unmanaged cisco/third party switch 

In first scenario I was thinking about dynamic template with trunk with 1 VLAN

In second one I was thinking about just access port in 1 VLAN 

 

0 Helpful

ahollifield
VIP
VIP
In response to Doorahlek

‎04-22-2025 07:05 AM

Unmanaged switch should work fine with multi-auth mode. Each MAC address will be authenticated individually. Managed switch you will most likely need to properly configure that with 802.1X/MAB. Or eliminate these switches.

0 Helpful

Doorahlek
Level 1
Level 1

‎04-22-2025 11:51 PM

Maybe that might be stupid idea, but wouldnt be applying a pre-auth MAC access list which permits only MAC of the downstream switch (so no other MAC can take over this authentication) and when it authenticates then the port is being set to access port in 1 vlan with access-accept?

0 Helpful
Top