Thanks Tim.  I thought that our stance on that had changed.  Appreciate the

info.

Mike Walsh

Consulting Systems Engineer

Enterprise Security Team

.:|:.:|:. Cisco

www.cisco.com/go/security

You're welcome.  If I'm mistaken, maybe one of the team will correct me.

Regards,

-Tim

It's not a matter of supporting it from ISE

This is an IBNS (switch) feature and requirement that port security and dot1x cannot be mixed

Not sure it makes sense anyway as long as you're authenticating securely why the limit?

I would reach out to them and explain

Thanks Jason.  We did indicate that to the customer in terms of not needing

port security with 802.1x.  So likely some more education needs to go on

there,  but the customer told us that they found some sort of documentation

indicating the 2 configurations can coexist (and we thought maybe we had

heard something similar).  So we will have them provide that documentation

so we can review it,  but wanted to start by making sure what our current

stance was on this.

Thanks again.

Mike Walsh

Consulting Systems Engineer

Enterprise Security Team

I too would like to know the answer to your question. It seems odd to me that from a security perspective Cisco is saying you cannot secure the port with limiting layer 2 because we are authenticating devices with ISE.

What is going to stop a device from doing a MAC address flood attack on a port that is set for multi-auth?

multi-auth impies each MAC address is authenticated. It’s a rare case where authenticated endpoints are producing a flood attack. If the endpoint is authenticated and malicious, I’d be concerned about many other potential problems. I can see multi-host as a potential flooding concern, but the solution to that would be to not use multi-host .

I agree with George.  Port security is, IMO, a clumsier method of solving the same problem.  Not only can you filter on the same mechanism in ISE (MAC address), you can filter on things like CDP and SNMP data now, or certificates.  By implementing two solutions to the same problem you complicate troubleshooting and expose yourself to another branch of code that might have bugs.

Just thought it might be worth sharing, how in our network, a well authenticated cisco phone , brought whole network down.

Cisco phone was authenticated by ISE, with MAB, using in built profile of ISE

This phone model was effected with a bug, where in it stops the flow of bpdu from its data port to pc port.

An innocent end user [who doesnt know] connected this phone to network with both pc and data port, [instead of connecting pc to pc port]

Switch's STP function or bpdu guard can't help now, as there is no bpdu, they are filtered by buggy phone, and the data is looping

So, now there is  undetected loop here, and via this loop, all the other authenticated mac address's are jumping back and forthe between ports, which caused CPU hike and network outage.

Though multi-auth, buggy phone, and inncocent end user contributed here in creating this loop[it indeed is a rare combination, but i have seen some other industrial type end devices as well doing this bpdu filtering], was wondering if port security had been there, it might have stopped this, as i could have put restriction in terms of number of mac addresses.

Any thought, which would help in this scenario

I would recommend reaching out to the switching team

I know this is an old post, but multiple people are still looking into mixing ISE and port-security. I agree that it is rare for an authenticated device to flood the network. However, a MAC address flood attack on an ISE-protected port in multi-auth mode can inflate the ISE database of known devices. I have seen instances where an Apple device with a USB Ethernet dongle and enabled MAC randomization inflated the ISE known devices by 20,000 MAC addresses in a relatively short period. This was not an attack but a malfunctioning device. Some USB Ethernet adapters, particularly third-party ones, may not handle MAC addresses consistently. Each random MAC address triggers a new MAB request to Cisco ISE, resulting in thousands of authentication attempts. This behavior was prevented by adding port-security interface GigabitEthernet1/0/1
switchport mode access
switchport port-security
switchport port-security maximum 5
no switchport port-security mac-address sticky
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security violation restrict