cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
952
Views
10
Helpful
6
Replies

ISE Authentication for Network Devices

Fenix12585
Level 1
Level 1

We currently use ISE to manage 802.1x and limited mab authentication of endpoints on the network.

Is it possible to authenticate network devices as well?

For example we apply authentication configs to sw2.
      Then connect sw2 to sw1.
            Sw1 will not allow port access if SW2 does not authenticate itself with ise.

 

2 Accepted Solutions

Accepted Solutions

ammahend
VIP
VIP

I don’t think that would work, at least I haven’t tried, to make a device authenticate there is the port config and supplicant 802.1X config. In your case you are talking about configuring uplink trunk port for 802.1X authentication and then SW1 as supplicant…and it won’t work most likely because 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but it is not supported on Trunk port—If you try to enable 802.1X on a trunk port, an error message will appear. 

-hope this helps-

View solution in original post

gotcha... thank you.

View solution in original post

6 Replies 6

Yes, preferably with TACACS+.  Are you talking about daisy chained switches or Device Administration?

specifically daisy chained switches.

We are pretty heavy with tacacs+ also so that wouldn't necessarily be a huge overhaul to implement. I was not aware tacacs+ could be used for more than device administration.

It can't.  I thought you were talking logging into the device itself.  The setup you describe will not work with a trunk port as @ammahend mentioned?  What is your use-case?  Why do you want 802.1X on links between switches?

we have some switches that can't be easily secured properly, so it would be nice to have the everything authenticate through 802.1x. Also flex connect WAPs would be amazing to have better authenticated.

ammahend
VIP
VIP

I don’t think that would work, at least I haven’t tried, to make a device authenticate there is the port config and supplicant 802.1X config. In your case you are talking about configuring uplink trunk port for 802.1X authentication and then SW1 as supplicant…and it won’t work most likely because 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but it is not supported on Trunk port—If you try to enable 802.1X on a trunk port, an error message will appear. 

-hope this helps-

gotcha... thank you.