Per port ISE (RADIUS) on Catalyst and ISE multi-tenancy

Istvan Segyik · ‎02-01-2016

Dear Colleagues,

We have an opportunity in UK. Public Sector where the customer wishes to “lease” parts of its switch stacks (some ports on their switch stacks) to another government organization.

Ideally they would use their own ISE deployments if it was possible. However as far as I know we can only have a single RADIUS server group configured per switch(stack) for 802.1X. I have read the IBNS 2.0 document as well and seemingly with its great complexity flexibility it is not possible to have different RADIUS groups used in different port policies.

The questions are:

- Am I right above?
- Is there any foreseeable roadmap item that would solve the switch configuration problem and would allow multiple RADIUS servers in the same switch for 802.1X?
- Is there any plan for ISE multi-tenancy? If yes, would this implementation be able to share switch stacks or large modular switches across tenants safely?

Any help would be highly appreciated.

Best regards,

Istvan

Istvan Segyik

Escalations Engineer, Security

CCIE Security #47531

Global Virtual Engineering

WW Partner Organization

Cisco Systems, Inc

Email: isegyik@cisco.com

Work: +36 1 2254604

Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET)

howon · ‎02-01-2016

Istvan, with IBNS 2.0 it is possible though I personally have not tested around that use case so answering with reserve here. I recommend testing this out to make sure it works as expected. Also, to get better answer on the switching features, I suggest hitting up Enterprise Networks as well.

With that in mind, when using IBNS 2.0 one can define multiple named server list for different RADIUS servers. For instance one can define set of RADIUS servers for city-hall and another set for court-room. Once named server list are created, it can be be used in the AAA definition and interface templates. Once separate interface templates have been created, one can apply them to separate interface groups. Following example shows relevant configuration needed to get you started (This configuration is by no means complete):

aaa authentication dot1x CITY-HALL group CITY-HALL

aaa authentication dot1x COURT-ROOM group COURT-ROOM

aaa authorization network CITY-HALL group CITY-HALL

aaa authorization network COURT-ROOM group COURT-ROOM

!

dot1x system-auth-control

!

aaa group server radius CITY-HALL

server name ISE01

!

aaa group server radius COURT-ROOM

server name ISE02

!

policy-map type control subscriber COURT-ROOM

event session-started match-all

10 class always do-all

10 authenticate using dot1x aaa authc-list COURT-ROOM priority 10

20 authenticate using mab aaa authc-list COURT-ROOM priority 20

!

policy-map type control subscriber CITY-HALL

event session-started match-all

10 class always do-all

10 authenticate using dot1x aaa authc-list CITY-HALL priority 10

20 authenticate using mab aaa authc-list CITY-HALL priority 20

!

interface GigabitEthernet x/y/z

description CITY-HALL Enabled Ports

switchport access vlan 110

switchport mode access

switchport voice vlan 111

access-session host-mode multi-domain

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

service-policy type control subscriber CITY-HALL

access-session port-control auto

!

interface GigabitEthernet a/b/c

description COURT-ROOM Enabled Ports

switchport access vlan 210

switchport mode access

switchport voice vlan 211

access-session host-mode multi-domain

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

service-policy type control subscriber COURT-ROOM

access-session port-control auto

!

radius server ISE01

address ipv4 x.x.x.x

key xxxxx

!

radius server ISE02

address ipv4 x.x.x.x

key xxxxx

!