Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1366
Views
0
Helpful
6
Replies

Cisco ISE 2.2

Go to solution
jm.virtual01
Level 1
Level 1

‎04-26-2019 11:20 AM

I need to connect some specific devices in my network and need to authenticate these devices through the ISE. I have already configured dynamic profiling and all but the issue is that, the end device has two NIC cards on it and need to connect both the NIC cards to the access switch.

Both NIC cards are connected to the switch on separate interfaces with separate cabals. The device is using two NIC card to communicate in two different Vlans and both vlans are using the Data Plane.

 

Can someone suggest me the best way to accommodate this kind of arrangement i the ISE?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to jm.virtual01

‎04-28-2019 07:59 PM

What kind of a "monitor" is this (by monitor I don't presume you mean a 'monitor display' ??)

It all depends - how do you want to authenticate wired devices in general?>  Do you have an 802.1X strategy in place, or want to do simple MAB?  You mentioned profiling - ok - that should work too, but you need each interface to generate some traffic to allow ISE to profile that Endpoint Identity (i.e. unique MAC address).

If you can do 802.1X then you need to configure each client interface with a supplicant config (hence the question, what type of device is this? Does it have a product name/model etc.?)  - or you can add the two MAC addresses into ISE and then have a simple Wired MAB policy that does whatever you want it to do.   

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jm.virtual01
Level 1
Level 1

‎04-26-2019 01:00 PM

In simple words, i have a dual homed end device which is connected to the cisco catalyst 3850 switch and the end device will do an authentication via ISE.

 One Nic is in Vlan 10 and the other one is in vlan 20. Bot Nics are connected on the switch at Gi 1/0/20 and Gi 1/0/21 respectively.

I can see a session only for one NIC. I need to accommodate both NIC at a same time.

 

Is there any suggestion for this type of deployment?

1.png

 

As shown in the picture, i need to do this type of arrangement. On Gi 1/0/20 and Gi 1/0/21 shows me the same mac address but only one authentication session, only for Gi 1/0/20. I need two separate session for each interface.

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to jm.virtual01

‎04-28-2019 02:35 PM

Is the end device doing NIC Teaming (hence, you see the same MAC address on the 3850) ?  In that case there would be no need to authenticate both links - only one can be active at a time.

If it's not NIC Teaming then please explain more about how this end device works.  It seems the second NIC is not coming active for some reason.

0 Helpful

Go to solution
jm.virtual01
Level 1
Level 1
In response to Arne Bier

‎04-28-2019 06:52 PM

The end device is a monitor and one NIC is used to communicate with the Print Server. The another NIC is used to communicate with the other database server.

I need to connect both the interface with the switch.

 

Is there any suggestion on this?

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to jm.virtual01

‎04-28-2019 07:59 PM

What kind of a "monitor" is this (by monitor I don't presume you mean a 'monitor display' ??)

It all depends - how do you want to authenticate wired devices in general?>  Do you have an 802.1X strategy in place, or want to do simple MAB?  You mentioned profiling - ok - that should work too, but you need each interface to generate some traffic to allow ISE to profile that Endpoint Identity (i.e. unique MAC address).

If you can do 802.1X then you need to configure each client interface with a supplicant config (hence the question, what type of device is this? Does it have a product name/model etc.?)  - or you can add the two MAC addresses into ISE and then have a simple Wired MAB policy that does whatever you want it to do.   

 

0 Helpful

Go to solution
jm.virtual01
Level 1
Level 1
In response to Arne Bier

‎04-30-2019 06:37 PM

I am using MAB authentication. The End device is GE Monitor.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to jm.virtual01

‎05-02-2019 03:31 AM

I have to use my own imagination when deciding what "GE Monitor" could be ... never mind.  It probably doesn't matter.  If you're doing MAB then the switch doesn't care about anything tricky like 802.1X - all it needs to receive is a valid Ethernet frame and that should trigger MAB.  If that is not happening then either the switch port is not receiving a (valid) frame or the switch port is not configured correctly. Or is the cable faulty?  Who knows.  Could be many things.  It doesn't sound like an ISE issue to me.

 

You need to be more specific about what you have, and what you have tried.  Debugs, screen shots of configs etc.

 

0 Helpful
Customers Also Viewed These Support Documents