cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1374
Views
0
Helpful
6
Replies

Cisco ISE 2.2

jm.virtual01
Level 1
Level 1

I need to connect some specific devices in my network and need to authenticate these devices through the ISE. I have already configured dynamic profiling and all but the issue is that, the end device has two NIC cards on it and need to connect both the NIC cards to the access switch.

Both NIC cards are connected to the switch on separate interfaces with separate cabals. The device is using two NIC card to communicate in two different Vlans and both vlans are using the Data Plane.

 

Can someone suggest me the best way to accommodate this kind of arrangement i the ISE?

 

 

1 Accepted Solution

Accepted Solutions

What kind of a "monitor" is this (by monitor I don't presume you mean a 'monitor display' ??)

It all depends - how do you want to authenticate wired devices in general?>  Do you have an 802.1X strategy in place, or want to do simple MAB?  You mentioned profiling - ok - that should work too, but you need each interface to generate some traffic to allow ISE to profile that Endpoint Identity (i.e. unique MAC address).

If you can do 802.1X then you need to configure each client interface with a supplicant config (hence the question, what type of device is this? Does it have a product name/model etc.?)  - or you can add the two MAC addresses into ISE and then have a simple Wired MAB policy that does whatever you want it to do.   

 

View solution in original post

6 Replies 6

jm.virtual01
Level 1
Level 1

In simple words, i have a dual homed end device which is connected to the cisco catalyst 3850 switch and the end device will do an authentication via ISE.

 One Nic is in Vlan 10 and the other one is in vlan 20. Bot Nics are connected on the switch at Gi 1/0/20 and Gi 1/0/21 respectively.

I can see a session only for one NIC. I need to accommodate both NIC at a same time.

 

Is there any suggestion for this type of deployment?

1.png

 

As shown in the picture, i need to do this type of arrangement. On Gi 1/0/20 and Gi 1/0/21 shows me the same mac address but only one authentication session, only for Gi 1/0/20. I need two separate session for each interface.

 

Is the end device doing NIC Teaming (hence, you see the same MAC address on the 3850) ?  In that case there would be no need to authenticate both links - only one can be active at a time.

If it's not NIC Teaming then please explain more about how this end device works.  It seems the second NIC is not coming active for some reason.

The end device is a monitor and one NIC is used to communicate with the Print Server. The another NIC is used to communicate with the other database server.

I need to connect both the interface with the switch.

 

Is there any suggestion on this?

What kind of a "monitor" is this (by monitor I don't presume you mean a 'monitor display' ??)

It all depends - how do you want to authenticate wired devices in general?>  Do you have an 802.1X strategy in place, or want to do simple MAB?  You mentioned profiling - ok - that should work too, but you need each interface to generate some traffic to allow ISE to profile that Endpoint Identity (i.e. unique MAC address).

If you can do 802.1X then you need to configure each client interface with a supplicant config (hence the question, what type of device is this? Does it have a product name/model etc.?)  - or you can add the two MAC addresses into ISE and then have a simple Wired MAB policy that does whatever you want it to do.   

 

I am using MAB authentication. The End device is GE Monitor.

I have to use my own imagination when deciding what "GE Monitor" could be ... never mind.  It probably doesn't matter.  If you're doing MAB then the switch doesn't care about anything tricky like 802.1X - all it needs to receive is a valid Ethernet frame and that should trigger MAB.  If that is not happening then either the switch port is not receiving a (valid) frame or the switch port is not configured correctly. Or is the cable faulty?  Who knows.  Could be many things.  It doesn't sound like an ISE issue to me.

 

You need to be more specific about what you have, and what you have tried.  Debugs, screen shots of configs etc.