06-21-2018 02:55 PM
Can anyone confirm if this comment is correct or not? I have never heard this statement before and have authenticated Guest VMs many times in the past. I recently ran in to an issue where some of the guests are not even showing in the auth session database on the switch or ISE and reached out to TAC.
"Dot1x or MAB authentication for VMs is known for not working properly or not working at all, and is not supported."
Thank You,
-Cory
06-21-2018 07:44 PM
Hmm in bridged mode the guest VMs should have unique MACs and show up on the switch port to be authenticated. In NAT mode only the host's MAC would show up. Are you seeing the MAC's show up on the switch port when you so "show auth session" or "show access-session"?
06-21-2018 11:13 PM
I see all the MACs in the cam tables but only some of the MACs in the auth session table. It is not any set amount missing between different ports either, Some have 6 of 8 Authenticating others have 4 of 8 authenticating.
The reason I asked about the comment in bold is that is what TAC sent me in an email and I have never seen that mentioned in all the posts here about Authenticating Guest VMs on an access port.
06-22-2018 01:36 PM
This is the first I heard of it. If possible, please share the TAC case number so we may take a look and see more context.
06-22-2018 02:59 PM
We have not done much with the case yet but collect logs and Show Tech, and before we did much I got that response from TAC.
TAC Case#684675337
Thanks for looking in to this!
06-22-2018 07:14 PM
I see your case has all mac addresses in "show mac add int <>" but not in "show auth sessions int <>". If possible, I would suggest to try (1) a hub and some physical wired devices on the same 4510R+E with Sup8-E and (2) a different switch model, such as 3650. This is likely a bug on the switch platform.
The VM issues I usually running into in our lab are because they are connecting to a VMware port-group, which in turn to the VMware vSwitch and then to the physical interface. Thus, we usually need to use some particular means to get DOT1X to work, especially with the native supplicants, or they would fail over to MAB.
I tried 9 clients on the same interface of 3650 (on 3.6.3E) in our lab and all showed up in both "show auth sessions int <>" and "show mac add int <>".
06-24-2018 09:05 PM
Cory, Hit me up on Skype tomorrow, I have dealt with some interesting behavior with vmware over the past couple years. We can at least go over my lessons learned and maybe something will relate to the issue you are having.
06-25-2018 09:55 AM
Cory, we have always used Windows VMs for our ISE Sales Trainings so you absolutely can do it!
The key is to directly map a VM to a specific physical port (wireless/wired USB dongle, UCS ethernet port, etc.).
Altenatively, ensure you have bridged the VMware NIC to the host computer NIC.
Do not use VMware NAT! If you use VMware NAT, the VM's MAC will not show on the port and all traffic will look like that of the host computer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide