Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1372
Views
0
Helpful
3
Replies

IP-phone (MAB) & port-security mac-address sticky

Go to solution
YMaslov
Level 1
Level 1

‎08-18-2018 01:50 PM

Hi there.

We've got the following situation:
Workstations connect into the network via IP-phone, i.e. Workstation --> IP-Phone (Avaya) --> Switch.
The client's interface is "switchport port-security mac-address sticky".
Workstations are authenticated by 802.1X.
IP-phones are authenticated by MAB.
If "switchport port-security mac-address sticky" is enabled (MAC address is saved in config), then if it is unplugged, and then the cable is plugged (cable between IP-phone & Switch), there will be no reauthentication, thus, there will be no session in ISE dashboard.
If "switchport port-security mac-address sticky" is disabled, then if it is unplugged, and then the cable is plugged (cable between IP-phone & Switch), there will be reauthentication, thus, there will be a new session in ISE dashboard.


The client's Security Department forbids switching off "port-security mac-address sticky".

Is there a possibility by any means (for example, by configuring the timers) to process a reauthentication of IP-phone while displaying the information in ISE dashboard?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cory Peterson
Level 5
Level 5

‎08-18-2018 04:04 PM

Port security is not recommended with 802.1x and I have also been told by TAC they do not support it. 

 

If you only have one machine and one phone on the port then use Multidomain Auth Mode. Multidomain Auth mode only allows 1 mac in the data domain and 1 mac in the voice domain. 

 

Your clients security department needs to change their policy, 802.1x replaces port security.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Cory Peterson
Level 5
Level 5

‎08-18-2018 04:04 PM

Port security is not recommended with 802.1x and I have also been told by TAC they do not support it. 

 

If you only have one machine and one phone on the port then use Multidomain Auth Mode. Multidomain Auth mode only allows 1 mac in the data domain and 1 mac in the voice domain. 

 

Your clients security department needs to change their policy, 802.1x replaces port security.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Cory Peterson

‎08-20-2018 06:28 AM

100% agree with Cory.  I have tried to implement port security and the ISE template together in the past and the results were unpredictable.  In the end the client decided to remove port security and let ISE do its job.

0 Helpful

Go to solution
YMaslov
Level 1
Level 1

‎08-29-2018 02:13 AM

Hello there,
I'd like to thank everyone who took time to answer my question, and helped me a lot with my problem. Thank you, guys!

0 Helpful
Customers Also Viewed These Support Documents