Re: Has anyone configured 802.1x in ACI environment on for virtual mac

vaibhavsalgaonkar · ‎05-17-2023

On VM I get the following error when enabling 802.1x on the switch port where the physical ESXi port is connected. the multi-auth option is selected in ACI. AAA is configured on Cisco ISE with Windows as the default supplicant on VM's. Cisco ISE has been integrated with AD for user authentication.

The network does not support authentication.

ahollifield · ‎05-18-2023

What is the use-case for performing 802.1X on a VM at all? What is the security benefit of doing this?

vaibhavsalgaonkar · ‎05-21-2023

Use case is on ESXi host(VMware) Citrix virtual desktop (VDI) solution is running. On VDI corporate users log in hence, the company needs for NAC solution. The company already has ISE with Windows AD integrated with pxGrid. Normal laptops and desktops connected via wireless and wired already doing AAA using AD roles through ISE and FTD firewalls. I want to extend(audit requirement) this solution for VDI VMs as well, as corporate users log in to VDIs.
When I check Cisco FTD logs I can not see domain\user info. While troubleshooting I found that VMware NIC is not supporting 802.1X authentication.
Someone has done this with passthrough mode on VMware but for that each physical NICs utilized for vNIC plus vMotion is supported. See https://www.virtualizationhowto.com/2019/05/enable-vmware-virtual-machine-802-1x-authentication/
As the different user has different AD roles each user needs to be authenticated separately.

Arne Bier · ‎05-18-2023

Agree with @ahollifield - the point of NAC is to protect the network from bad actors (physical endpoints). The way to approach hypervisors connected to the access layer switches is to configure the switch interface as multi-host. This means that we authorize the port when we see Ethernet frames from the hypervisor (e.g. vmKernel traffic during boot up). Once the hypervisor is booted up, the switch interface will be open to communicate, and the VMs will start up and can send traffic to the network (without needing to be authenticated).

Arne Bier · ‎05-21-2023

Yes - vSwitch doesn't perform NAC. I don't know if Nexus 1000V is still around - but that was a replacement for the VMWare vDS and you essentially had an IOS switch running inside your vSphere. That may have been the answer. Passthrough is the other option (where the physical switch performs the NAC).

I still don't see the use case of performing NAC for VDI users. Is it not enough to rely on AD authentication, and to set a static role for those VDI connections (for the FTD)?

ahollifield · ‎05-21-2023

Yeah 1000V is EOL. VM-Ware NSX-T has solved this issue for some customers.

vaibhavsalgaonkar · ‎05-29-2023

Hi,

Is it possible to provide some documentation regarding nsx-t and 802.1x? I tried googling around it but didnt find 802.1x with nsx-T or VMware. Cisco 1000v has 802.1x but VMware does not support third-party virtual switch and declared EOL by Cisco too.

vaibhavsalgaonkar · ‎05-29-2023

Hi,

This is not possible as different users have different authorization levels based on their AD roles.

Has anyone configured 802.1x in ACI environment on for virtual machine