Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
283
Views
3
Helpful
4
Replies

Cisco NAC and MACSEC Switch connection

Go to solution
Davis-Revent-12
Level 1
Level 1

‎04-16-2025 03:52 AM - edited ‎04-16-2025 05:25 AM

Hi Cisco NAC peeps
 
We have an existing deployment using Cisco NAC configured on cat ios-xe switches i.e. 9400 that have NAC enabled access interfaces for authentication via Cisco ISE using 802.1x cert auth for PCs and mab authentication for other devices. 
 
My questions are 
 
1) If we connect a new access layer switch from a new site - call it site 2 across the road using fiber to the existing site 1 FD switch will NAC still work on it still if we connect at layer 2 and enable psk mac sec between the switch's trunk links connecting site 1 to site 2 which is network-link mode and with the access ports on the new site 2 switch enabled with NAC on the access interfaces also ? 
 
2) Can we also connect off the new site 2 switch another switch off it i.e. daisy chain on layer 2 and run nac .
 
so, it would be connected as: site 1 switch FD <> site 2 switch A <> site 2 switch B. 
 
I am fairly sure it will still work with NAC etc. but just seeing if anything would be an issue - Apart from the obvious potential bottleneck on the first switch 2 uplinks to switch 1 FD switch 
 
Any comments would be welcome 
 
Thanks
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-16-2025 06:21 AM

@Davis-Revent-12 I don't foresee a problem with this, MACsec will be enabled on the interfaces connecting the switches and NAC (802.1X/MAB) enabled on the switchports the endpoints are connected too. The switches will need a mgmt IP address to be able to communicate with ISE using RADIUS and configured for NAC.

Yes you can daisy chain another switch, just don't enable NAC on the interfaces between switches.

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎04-16-2025 06:21 AM

@Davis-Revent-12 I don't foresee a problem with this, MACsec will be enabled on the interfaces connecting the switches and NAC (802.1X/MAB) enabled on the switchports the endpoints are connected too. The switches will need a mgmt IP address to be able to communicate with ISE using RADIUS and configured for NAC.

Yes you can daisy chain another switch, just don't enable NAC on the interfaces between switches.

Go to solution
Davis-Revent-12
Level 1
Level 1
In response to Rob Ingram

‎04-16-2025 07:23 PM - edited ‎04-16-2025 07:32 PM

Hi Rob

Thanks for the confirming what I thought also. Yeah I cannot see why it would not work., Noted also on not enabling NAC on any of the  switch to switch connections be it they use macsec or not . 

So our connection would be something along these lines

Site 1 FD switch <Fiber with macseclink>  Site 2 switch A <Fiber link> Site 2 Switch B .

Site 2 switches access ports only enabled with NAC

Cheers

0 Helpful

Go to solution
ahollifield
VIP
VIP

‎04-16-2025 06:34 AM

Should be no issue.

Go to solution
Davis-Revent-12
Level 1
Level 1
In response to ahollifield

‎04-16-2025 07:24 PM

Thanks for responding  back also and confirming as such 

Cheers

0 Helpful
Customers Also Viewed These Support Documents