Solved: Re: Multi-auth and unmanaged switch - Page 2

iores · ‎06-04-2025

Hi,

I have several devices on unmanaged switch that I need to authenticate via MAB. Unmanaged and upstream switch are connected via access port.

My idea is to configure MAB on a access port of upstream switch, and use multi-auth host-mode.

Would this work? Do I need to authorize the MAC of the switchport of unmanaged switch, as well? Can I use dynamic VLAN assigment in such a case?

sidshas03 · ‎06-05-2025

Hey,

If you’re planning to keep this setup long-term with unmanaged switches and multiple endpoints behind it, one strong suggestion I can give is to replace the dumb switch with a basic managed switch – even a low-end Catalyst or SMB series model. Reason is, with unmanaged switches, you have zero visibility – you can't detect when a device behind it disconnects, there's no MAC aging control, and the switch doesn’t support VLAN tagging or 802.1X supplicant capabilities.

With a managed switch, even a small one, you can do proper 802.1X supplicant-based authentication using something like Cisco NEAT or downloadable interface templates. That way, you authenticate the switch once, and then the port becomes a trunk. ISE can handle dynamic VLANs per endpoint coming behind it, cleanly. Plus, you get better logs, session visibility, and less headaches with MAC learning and session timeout issues.

In your current setup, the best you can do is multi-auth with MAB on the upstream switch, and set session inactivity timeout to handle device disconnections — but still it's a workaround. With a managed switch, you can future-proof the design and reduce ISE overhead by pushing logic to the edge.

So if budget or design allows, try to move from dumb to smart — even if it’s just for this one switch. It’ll save you time in the long run.

iores · ‎06-05-2025

With session timeout, will there be any connectivity issues when timeout expires?

Arne Bier · ‎06-06-2025

You need to tell ISE a few things to ensure that you have a seamless re-authentication (no connectivity loss). The Authorization Profile must contain the following information:

termination-action-modifier=1

In my Profile, I set the VLAN to 100, and 28800 seconds re-auth interval - ISE sends these RADIUS attributes to the switch:

iores · ‎06-07-2025

@Arne Bier

What is the purpose of using session timeout? What can go wrong if it is not used?

Arne Bier · ‎06-07-2025

I mentioned it earlier - it has to do with managing the session table on the managed switch - every NAC enabled interface will create a new session when a new MAC address is learned - if you don't put a time limit (session timeout) on a session, then the session will live forever - unless the interface link goes DOWN (device disconnected or port shut) - that clears the session. A switch reload also clears the session table.

The problem is that your managed switch has no knowledge that a device was unplugged on the dumb switch. How could it? Therefore you have to solve the issue of "stale sessions" differently. You set a timer (e.g. 18 hours countdown) from the time the MAC address is seen on the managed switch and the session is created. If in that time, the device is unplugged on the dumb switch, the session continues. If you were to check the MAC address table of the managed switch, you'd notice that the MAC address of the removed device will eventually disappear -but the session still lives. After session timeout has reached 0, the managed switch will notice that the MAC address is no longer there and will clear the sessions. On the other hand, if the MAC address was still there because device was still connected, then the managed switch would send a re-auth to ISE and that would reset the timer for another 18 hours - the data traffic is no affected by this (if you do the re-auth like I mentioned).

iores · ‎06-07-2025

@Arne Bier

What would or can happen if the session lives forever?

Arne Bier · ‎06-07-2025

Nothing bad. It’s just misleading. If you examine the session table you might think the endpoints are attached , when in fact they are not. Also, as long as the session is active, and ISE is receiving Accounting updates, ISE consumes a license. Just clear inactive sessions with session timeout. It’s the right thing to do.