Solved: ISE Auth on Switchport/Trunk-ports with Multiple Vlans?

Matthew Martin · ‎07-20-2017

Hello All,

Switches in the location in question:

Switch: WS-C4507R-E Version: 15.2(2)E4
Switch: WS-C2960-24PC-L Version: 12.2(55)SE11

I've read that if you try to enable AAA/Radius auth on a trunk port you'll get an error... Is this true?

Here's the scenario: A couple of our Switchports have a PC and a Printer on the same port. The problem with this is, we use Vlan1 for PCs and Vlan3 for Printers. In ISE's Auth Policies our Printer Policy makes sure the printer is on Vlan3 and our Wired Endpoint policy (*i.e. PCs), make sure they are on Vlan1.

Is there anyway to have ISE auth work with the scenario above?

I was thinking that if a trunk port allowed you to enable auth on that port (*802.1x and MAB). And since the printers don't pass a Vlan tag (*I don't think), but their IPs are set statically, then maybe I could set it as a trunk port, with allowed vlans 1,3, and the PC would grab a DHCP address in Vlan1 and the printer would already have a Vlan3 address because its static... But, I'm not sure if anything like this is possible??

Any thoughts or suggestions would be greatly appreciated!

Thanks in Advance,
Matt

agrissimanis · ‎07-21-2017

Hi Matt,

In regards to the authentication support on trunk ports, this feature was introduced from IOS version 15.2(1)E. Not sure if this is platform specific, I use this on 2960X and it works fine. You will only not be able to configure authentication related commands if the switchport is in dynamic mode.

Assuming VLAN 1 is left as the native VLAN on the trunk your PCs will work fine, but printers will have a problem, if you are not able to set VLAN tagging on the printers. Switch would tag packets destined for the printer, but the printer will not understand/accept the tagged frames. On the opposite direction, printer will not tag the frames (because it does not understand/has not been instructed to), and they will end up in the native VLAN on the switch.

Regards,
Agris

Please rate if helpful

View solution in original post

agrissimanis · ‎07-21-2017

Hi Matt,

In regards to the authentication support on trunk ports, this feature was introduced from IOS version 15.2(1)E. Not sure if this is platform specific, I use this on 2960X and it works fine. You will only not be able to configure authentication related commands if the switchport is in dynamic mode.

Assuming VLAN 1 is left as the native VLAN on the trunk your PCs will work fine, but printers will have a problem, if you are not able to set VLAN tagging on the printers. Switch would tag packets destined for the printer, but the printer will not understand/accept the tagged frames. On the opposite direction, printer will not tag the frames (because it does not understand/has not been instructed to), and they will end up in the native VLAN on the switch.

Regards,
Agris

Please rate if helpful

Matthew Martin · ‎07-31-2017

Hey Agris, thanks for the reply!

Sorry for the delay responding. I was out all last week and just got back to the office today.

Yea, I tried the trunk port configuration before I left last week and was able to get a PC to auth on that port setup as a trunk. I believe I just couldn't get the printer to do the same... As what you described, seemed to happen with the printer.

So it seems like the printers just aren't "smart" enough to do vlan tagging on the in/outbound packets to and from the printer.

Oh well, I guess maybe we'll try getting the printers onto their own switchports.

Thanks for the reply and all the info, much appreciated!

Thanks,
Matt