This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am curious about ISE issuse that related to port authenticated.
Let`s suppose the multi-domain authentication type is used at port side.
Once port authorized, I unplug PC and connect another PC doing mac and IP spoof(Same IP and mac as previous PC had)
In this situation, what does ISE do to prevent this. How does it put obstacles?
Otherwise does attacker PC get network access?
It's a Cisco IOS switch feature to detect an endpoint disconnected, to terminate the existing authentication session, and then to start a new session for a new connection.
On the ISE side, the same policy will apply if based on the MAC address solely. Please read ISE Profiling Design Guide for further info.
I am going to read the guide you presented.
But till that time, I wonder if PC seats behind the phone. Surely if PC connects directly to the switch, once ports goes down and goes up, re-authentication process is started. I meant switch does not aware what happens behind the phone. Or Let`s suppose multi-auth method is used and and PC seats behind the hub which friend mentions below. Is it possible to spoof that PC?
Both of these answers are true if the device is plugged directly into the switch port, but if the device is unplugged and the switch doesn't know anything about that (phone not doing EAP proxy-logoff, hub, cheap switch, etc.) and the new device is spoofing the same exact MAC you probably would get on. What triggers authentication on the switch side is the learning of a new MAC address in the MAC address table. If something is preventing the MAC address from being removed when the device disconnects then there is no learn new MAC address to trigger authentication.
Now PEAP Session Timeout is 60 sec. Thank you a lot.
Re-authentications at every 60 seconds are considered too frequent usually. I would suggest you to review sizing advice from
If the switch supporting it and if using Cisco AnyConnect NAM, endpoint MacSec can be another option.