Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1858
Views
0
Helpful
2
Replies

ISE support on third party switch doing 802.1x authc on interface

yong khang NG
Level 5
Level 5

ā€Ž06-08-2013 01:58 AM - edited ā€Ž03-10-2019 08:31 PM

Hi all,

Have few question on how ISE support on third party LAN switch, if the requirement is doing 802.1X based flexauth.

Refer to the diagram i attached; 01 topology.png

Concern  1: if the 3com switch with 802.1X feature, but still without the full  feature to support FlexAuth, policy encforcement, DACL etc. In this kind  of situation, will user still able to authenticate (using method  PEAP-MSCHAP v2), but authorization just grant with permit any any?

Concern  2: In this case, can i assume i authenticated the 3com switch using  MAB? But this will cause endpoint with no 802.1X, am i right?

Concern  3: cisco switch C4507-E, loaded with IOS version  Cat4500e-UNIVERSALK9-M, version 03.04 and Supervisor Engine  :WS-X45-SUP7-E, is this platform is supported in Cisco TrusctSEC?

Please advice, million thanks

Noel

Labels:
Preview file
16 KB
0 Helpful
2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

ā€Ž06-08-2013 02:49 AM

Yes users will be able to authenticate. With MAB you can not use peap because it uses PAP as a authentication type and it is used for devices who doesn't understand 802.1x.

looks like it is supported but with few limitation

The following guidelines and limitations apply to  configuring Cisco TrustSec SGT and SGACL on Catalyst  WS-X45-SUP7-E/SUP7L-E and WS-C4500X-32 switches:

http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/appb_cat4k.html

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

yong khang NG
Level 5
Level 5
In response to Jatin Katyal

ā€Ž06-08-2013 02:54 AM

Cool Jatin

First and foremost, thanks for the replies.

The third party LAN switch model mention is 3ComĀ® Baseline Switch 2948-SFP Plus. After reviewing the user manual, it seems like a L2 LAN switch.

Acutally, my business requirement can be either:

a. optimum, the switch support FlexAuth (open mode, then evolve to low impact mode)

b. due to switch limitation capabilities, as long as it can do 802.1X authentication

after  review the documentation, i still found out some of the configuration  that look like unable to configure on the 3COM switch.

example

a. configure RADIUS setting

ip radius source-interface

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

b. identity setting on switch port, to support FlexAuth

mab

authentication host-mode multi-auth

authentication order

c. policy enforcement

radius-server-vsa send authenticaiton

radius-server-vsa send accounting

d. Change of Authorization (COA), the most crucial

aaa server radius dynamic-author

e. dACL apply to the port after authentication, based on authorization profile.

So, to hit the baseline, i guess it can do 802.1X authentication but not with FlexAuth feature.

For the C4507, thanks for the info.

million thanks

Noel

0 Helpful
Customers Also Viewed These Support Documents