Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2550
Views
0
Helpful
7
Replies

MAC Auth interface config

Go to solution
tlxbx
Level 1
Level 1

‎10-29-2020 03:21 PM

Hello,

I am looking to configure MAC-Authentication in our switches. Do you have any interface config you can share that is used in the production environment? Below is what I have so far. Am I missing anything or needs to be removed? What about some sort of timeout settings we can use? 

 

interface Gi1/0/1
switchport mode access
switchport access vlan 20
switchport voice vlan 30
authentication control-direction in
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer restart 1
mab
spanning-tree portfast

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-07-2020 09:29 PM

This is all covered step by step in ISE Secure Wired Access Prescriptive Deployment Guide

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-29-2020 07:35 PM

High level your configuration is ok.

 

but if this first-time deployment and testing, i will start with basic config and add more options as move one..since if it is not working you get hard time to what line causing the issue.

 

so start with below :

 

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-30-2020 05:26 AM

Agreeing with @balaji.bandi to start with less, test, and build from there.  Are you planning on allowing both a data and voice device on same port?  Here is a breakdown of the different host modes for a better understanding:

Single-host mode:

In single-host mode, only a single MAC or IP address can be authenticated by any method on a port. If a different MAC address is detected on the port after an endpoint has authenticated with 802.1X, MAB, or Web Authentication, a security violation is triggered on the port. This is the default behavior.

Multi-domain-authentication (MDA) host mode:

MDA was specifically designed to address the requirements of IP telephony in an 802.1X environment. When MDA is configured, two endpoints are allowed on the port: one in the voice VLAN, and one in the data VLAN. Additional MAC addresses trigger a security violation.

Multi-auth host mode:

If the port is configured for multi-auth mode, multiple endpoints can be authenticated in the data VLAN. Each new MAC address that appears on the port is separately authenticated. Multi-auth can be used for bridged virtual environments or to support hubs.

Multi-host mode:

Unlike multi-auth host mode, which authenticates every MAC address, multi-host mode authenticates the first MAC address and then allows an unlimited number of other MAC addresses. Because of the security implications of multi-host, multi-auth is typically a better choice than multi-host.

HTH!

0 Helpful

Go to solution
tlxbx
Level 1
Level 1

‎10-30-2020 06:59 AM

thank you both. what would be a simple config as i am new to this?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-31-2020 01:55 AM

The basic config was available the URL was posted before on other thread (look at the URL Botom of the page)

 

Main this as mentioned by  @Mike.Cifelli  what kind of deployment you have based on that config should go into interface config.

 

here is a good explanation of each one for your reference ( as mentioned go with the basic config build from there)

http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
tlxbx
Level 1
Level 1
In response to balaji.bandi

‎11-02-2020 06:50 AM

Thank you. I enjoyed reading the document and cleared many questions I had.

I want to follow up on "2.4.6 Inaccessible RADIUS Server". How can I configure the switch to detect if our RADIUS server goes down so we can take action to put clients on same vlans configured on the ports?

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-02-2020 12:18 PM

You have the ability to configure AAA dead-server detection.  See here for more detail: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-aaa-dead-server.html#GUID-46F1AAA9-273A-4DAF-9A1D-4354D335848F. HTH!

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-07-2020 09:29 PM

This is all covered step by step in ISE Secure Wired Access Prescriptive Deployment Guide

0 Helpful
Customers Also Viewed These Support Documents