cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2750
Views
1
Helpful
6
Replies

ISE Posture on Windows machine with Hyper-V

atapiafl@cisco.com
Cisco Employee
Cisco Employee

Hello team,

I have a customer that has windows machines. When they activate KVM Hyper-V VM, it is like the network card/adapter of the machine deactivates (something like virtual switch comes in). So it is impossible to have Posture on that machine....

Do we have any kind of solution for this kind of scenarios?

Thanks!

Alex

6 Replies 6

hslai
Cisco Employee
Cisco Employee

Assuming KVM means keyboard, video, and mouse, I do not think we are supporting such at the moment, so I would suggest you to discuss it with ISE PM team.

Thanks.

My customer's scenario is like this:

There are some users who use virtual machines with Hyper-V (not KVM sorry for that mistake). They cant authenticate using 802.1x because there is more than one MAC address trying to register in the same port.

is there any way we can solve that scenario?

Thanks!

As long as the network interface of each Hyper-V VM has one and only one IPv4 MAC address and the Cisco switch interface configured in multi-auth mode, then we should be able to see each VM as its own endpoint and posture accordingly. I think you might need to check with the switch platform teams and see any scale limits.

umahar
Cisco Employee
Cisco Employee

We also faced the same issue few days back although kept it aside for now.

We are hosting a virtual mobile emulator in Hyper-V in some machines. The issue we faced was that even the host machine lost connectivity when these machines were moved to multi-auth environment.

Thanks Utkarsh,

How is your scenario? to what switch are you connecting your host machine? are the VM's in the host machine in L2 each one with its own IP address? Are you making posture on that environment?

Alex,

I believe the issue is not with Posture but with dot1x support in Hyper-V.

It is most likely that the Hyper-V is dropping EAP packets which are layer 2 frames sent to a multicast MAC address from the host machine.

This is a known issue and Microsoft seems to have acknowledged it.

I have not seen this issue for hosts behind a vSwitch though.

Check below links

https://social.technet.microsoft.com/forums/windows/en-US/341cbe70-3fa7-4991-a7e4-4f1af63df4d0/windows-8-hyperv-8021x-eapol-request-missing

https://windowsserver.uservoice.com/forums/295050-virtualization/suggestions/8619418-let-hyper-v-virtual-switch-forward-802-1x-authenti