04-01-2019 12:34 AM - edited 02-21-2020 11:04 AM
Hi, I am figuring out a solution for the difficulty stated in the title.
I am using VMware ESXi to host dozens of VM and they are in various VLANs.
Since the number of physical ports is far fewer than the number of VLANs, I am now connecting the server to the switch via trunk port.
Is there any solution to do ISE authentication to the hosting VMs of different VLANs? Virtual switch?
Thank you.
04-01-2019 12:51 AM
Hey there,
Are you refering to 802.1x or RADIUS AAA?
For 802.1x, communication is done between the authenticator (usually a switch) and the RADIUS server. The supplicants (endpoints, those being authenticated) do not communicate directly with the RADIUS server. So the trunks aren't an issue on the access layer.
For RADIUS AAA the trunks are also not an issue. Your NAD (in this case a server which is connected by trunk) has a unique IP address from which it sends its RADIUS messages. This is the same IP address configured on the server. Assuming all such IP addresses are unique within the same deployment, it doesn't matter to how many VLANs a server is connected rather that all RADIUS packets are sent from the correct IP address. This can be verified by packet capture, and can be configured depending on the operating system (or application).
04-01-2019 04:42 PM - edited 04-01-2019 04:44 PM
Thanks for the explanation, maybe I was not clear enough.
I want to do RADIUS authentication (802.1X or MAB), ISE is the NAS, a physical switch is the NAD.
My problem is, the physical switch port connecting to the physical server that hosts dozens VM using VMware ESXi is a trunk port because the VM are sitting different VLANs.
[ISE]=[SW]=(trunk_port)=[ESXi hosting multiple VM in different VLAN]
To my knowledge, I think the link between an authenticator (the switch) and the supplicant (software inside the VM) must be a layer 2 access port because they use EAPoL to initiate the RADIUS authentication.
If I can't simply configure the trunk port to do the authentication, is there any workaround?
Thank you for the help
04-01-2019 11:10 PM
EAPOL is EAP transported over Ethernet so it should technically support 802.1q.
I delved into more documentation,
In one document I've seen a few switches that supposedly do support this configuration:
However, this seems to be contradicted in other documentation which states that 802.1x over a trunk is for Cisco NEAT (Network Edge Authentication Topology). Both these documents state that the 3850 is supported.
Perhaps the earlier documentation was refering to NEAT when it mentioned that static trunks are supported. If so, then your use case isn't supported for campus switches.
For Nexus switches, it seems clearer:
They even have an example there of how to configure 802.1x on a static port with "dot1x host-mode multi-host".
If you're using a campus switch, and a modern image, maybe try configuring it the way it's done on a Nexus trunk and see if that works well?
04-02-2019 05:43 PM
Thanks for taking your time for this. I found someone asked dot1x on trunk port before and apparently Cisco gave the answer and it was NO. I don't know if the newer IOS version supports this or not.
I am using C3650, C2960X and C9200 models. I can configure the port (trunk mode) with 802.1x authentication commands and didn't get the error messages they said when enabling 802.1x.
(dot1x pae authenticator
authentication port-control auto
authentication host-mode multi-auth)
However, the supplicant fails to initiate the authentication.
I think one of the kinda silly solution is to put an access switch in between, one access port per one VLAN...
I also considering using Cisco AVS in the VMware hypervisor but I guess I may take my time reading the documents.
What a rough start for my first time ISE deployment.
Thank you for the help.
04-03-2019 01:32 AM
It does sound like an odd demand for campus switches. If possible, maybe you can try a nexus switch to see if it truly does support the design you're looking for. If that's impossible (or infeasible) then perhaps see whether 802.1x is the right solution to begin with.
If you must use 802.1x, here are some options:
1) Change the switches to Nexus 3k where necessary (assuming the documentation is correct)
2) Using a vSwitch. Nexus 1000v isn't supported in recent versions of vSphere, but it does support 802.1x per VM. As far as I know, the native DVS for vSphere doesn't support this.
Is this hypervisor found outside your datacenter in a place which isn't secured physically from the rest of the end users? Perhaps 802.1x isn't necessary and something less secure is acceptable, such as TrustSec or MAB?
04-03-2019 07:17 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide