Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2988
Views
5
Helpful
2
Replies

MAC Pass-Through with EAP TLS

Go to solution
Anthony O'Reilly
Level 3
Level 3

‎03-28-2022 01:51 PM

Hi,

 

We have a two-node ISE deployment. Version 2.7 Patch 5.

 

Originally we deployed dot1x using MAR. We were also using ISE for Guest, BYOD and Corporate Access. We had mixed results using MAR. We also had to enable mac pass-through on Lenovo laptops.

 

Due to the issues with MAR, we deployed EAP-TLS for all dot1x supplicants. The customer is now deploying new Lenovo laptops. 

 

We am having connectivity issues when going via Docking station to direct Ethernet connectivity and back to the Docking station. 

 

When we are using EAP-TLS, is there any requirement for enabling mac pass-through? Do we still need this?

 

Thanks

Anthony.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎03-29-2022 03:51 PM

Hello @Anthony O'Reilly 

 

You asked: "When we are using EAP-TLS, is there any requirement for enabling mac pass-through? Do we still need this?"

 

The MAC Passthrough is primarily there to stop the docking station from interfering with its own MAC address during any kind of authentication where the MAC address of the endpoint is important (and used in Authorization). If you're doing good old EAP-TLS then I don't believe the MAC address of the endpoint is of any concern. You might find though that if MAC Passthrough is not enabled then ISE might collect more endpoints than required, since it will also collect the MAC address of the docking station. Either way, the sooner we get away from using MAC addresses for any kind of authentication, the better. A unique device identifier would be much more useful, but it requires the endpoints to supply that data to the Authenticating Server (ISE). 

View solution in original post

2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎03-29-2022 03:51 PM

Hello @Anthony O'Reilly 

 

You asked: "When we are using EAP-TLS, is there any requirement for enabling mac pass-through? Do we still need this?"

 

The MAC Passthrough is primarily there to stop the docking station from interfering with its own MAC address during any kind of authentication where the MAC address of the endpoint is important (and used in Authorization). If you're doing good old EAP-TLS then I don't believe the MAC address of the endpoint is of any concern. You might find though that if MAC Passthrough is not enabled then ISE might collect more endpoints than required, since it will also collect the MAC address of the docking station. Either way, the sooner we get away from using MAC addresses for any kind of authentication, the better. A unique device identifier would be much more useful, but it requires the endpoints to supply that data to the Authenticating Server (ISE). 

Go to solution
Anthony O'Reilly
Level 3
Level 3

‎04-12-2022 08:35 AM

@Arne Bier Thanks Arne,

I've tested this over the last week and it is working ok. Thanks for your quick response.

0 Helpful
Customers Also Viewed These Support Documents