cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
29819
Views
17
Helpful
10
Replies

Port security and 802.1x (ISE)

jc.saavedra
Level 1
Level 1

Hi everyone,

 

I'm implemmenting ISE in a network with Port Security enabled.

 

According the book Cisco ISE for BYOD and Secure Unified Access Port-security is not compatible with 802.1x.

 

I want to know what is the affectation of to have Port-security and 802.1x enabled on the same SW Port.

 

Someone?

 

Thanks!

1 Accepted Solution

Accepted Solutions

Moin Ilyas
Level 4
Level 4

Using 802.1X with Port Security

You can enable an 802.1X port for port security by using the dot1x multiple-hosts interface configuration command. You must also configure port security on the port by using the switchport port-security interface configuration command. With the multiple-hosts mode enabled, 802.1X authenticates the port, and port security manages network access for all MAC addresses, including that of the client. You can then limit the number or group of clients that can access the network through an 802.1X multiple-host port.

These are some examples of the interaction between 802.1X and port security on the switch:

When a client is authenticated, and the port security table is not full, the client's MAC address is added to the port security list of secure hosts. The port then proceeds to come up normally.

When a client is authenticated and manually configured for port security, it is guaranteed an entry in the secure host table (unless port security static aging has been enabled).

A security violation occurs if the client is authenticated, but port security table is full. This can happen if the maximum number of secure hosts have been statically configured, or if the client ages out of the secure host table. If the client's address is aged out, its place in the secure host table can be taken by another host. In this case, you should enable periodic reauthentication with a shorter time period than the port security aging time.

If the port is administratively shut down the port becomes unauthenticated and all dynamic entries are removed from the secure host table.

For more details please refer: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_13_ea1/configuration/guide/3550scg/Sw8021x.html#wp1049580

Hope that helps.

View solution in original post

10 Replies 10

nspasov
Cisco Employee
Cisco Employee

There a lot of different commands, features and scenarios. Can you help us answer your question by telling us what exactly you are trying to accomplish?

Hi Neno, 

 

The scenario is: on the same SW port I have configured:

interface GigabitEthernet1/0/25
 description PC Jeremias Castro
 switchport access vlan 2008
 switchport mode access
 switchport voice vlan 2108
 switchport port-security maximum 3
 switchport port-security
 switchport port-security aging time 5
 switchport port-security violation restrict
 switchport port-security aging type inactivity

 ip arp inspection limit rate 30
 authentication event fail action next-method
 authentication event server dead action authorize vlan 2008
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab

 authentication port-control auto
 authentication violation restrict
 mab
 macro description Phone-Host
 dot1x pae authenticator
 dot1x timeout tx-period 3
 spanning-tree portfast

 

 

The port is configured to work with 802.1x and Port-security.

 

The question is, what is the problem if I have this config.

 

Thank you.

Hi Neno,

I am also having some what similar kind off issue .

I am implementing 802.1x with port security for end user access machine with Anyconnect and ISE . Wherein some dell Laptop with docket having issue. 

Issue - If dell laptop user connect there machine with docket then port goes in error disable (laptop having connection from IP Phone)  then phone also gets disable.This only happens when then first time connect their laptop on docket

ISE Configuration - We have configured machine + user authentication with dotx method 

Switch Configuration - 

 

interface GigabitEthernetX/X
 switchport access vlan X
 switchport mode access
 switchport voice vlan X
 switchport port-security maximum 2
 switchport port-security maximum 1 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky XX.XX.XX
 switchport port-security mac-address sticky XX.XX.XX vlan voice                                      authentication event server dead action authorize vlan XX
 authentication event server alive action reinitialize
 authentication port-control auto
 authentication open                                                                                                                                  auto qos voip cisco-phone
 dot1x pae authenticator
 spanning-tree portfast
 spanning-tree bpduguard enable
end

 

Laptop model issue - Dell latitude e4310  and e6510 

 

Can anybody help me on this

 

Thanks 

In general I stay away from port-security if 802.1x is enabled. I personally don't see the benefit and IMO it only adds additional administrative overhead. In your scenario I believe the port becomes error disabled because you are exceeding the maximum allowed mac addresses, which in your configuration is 2. The reason you are exceeding this with the dock is because 99% of the time the dock also has its own mac address. So you in your scenario you end up with 3 total mac addresses on the port: One for the phone, one for the pc and one from the docking station. 

 

Thank you for rating helpful posts!

Hi Neno,

Thanks for the reply.. As we checked the port is going in error-disable with by phone mac address wherein phone is connected 24/7 and machine connects from phone.

 

Please find below logs from switch - 

 

Oct  1 09:21:11: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E906E5392F07 ======Phone MAC

Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E907E53931BF ======Laptop MAC

Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B

Oct  1 09:21:12: %DOT1X-5-SUCCESS: Authentication successful for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B

Oct  1 09:21:12: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B

Oct  1 09:21:12: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT APPLY

Oct  1 09:21:12: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPE DOT1X| EVENT IP-WAIT

Oct  1 09:21:13: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet5/30, new MAC address (e804.62eb.b435) is seen.AuditSessionID  Unassigned

Oct  1 09:21:13: %PM-4-ERR_DISABLE: security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state

Oct  1 09:21:13: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E909E53935F3

Oct  1 09:21:13: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT REMOVE

Oct  1 09:21:13: %PM-4-ERR_DISABLE: STANDBY:security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state

Can you guide us how to fix this one

 

Regards

Pranav

 

Add the following command to your switchport and test again:

authentication host-mode multi-auth 

 

Thank you for rating helpful posts!

Dude, you have port-security limiting this port for 1 mac-address, but you have IP Phone, than laptop with Docket, with 2 or maybe 3 mac-addresses in total on that port. Maybe that's the problem. What does the show log shows you?

 

You could raise the mac-address limitation from 1 to 3 and remove the static mappings...

 

 

Moin Ilyas
Level 4
Level 4

Using 802.1X with Port Security

You can enable an 802.1X port for port security by using the dot1x multiple-hosts interface configuration command. You must also configure port security on the port by using the switchport port-security interface configuration command. With the multiple-hosts mode enabled, 802.1X authenticates the port, and port security manages network access for all MAC addresses, including that of the client. You can then limit the number or group of clients that can access the network through an 802.1X multiple-host port.

These are some examples of the interaction between 802.1X and port security on the switch:

When a client is authenticated, and the port security table is not full, the client's MAC address is added to the port security list of secure hosts. The port then proceeds to come up normally.

When a client is authenticated and manually configured for port security, it is guaranteed an entry in the secure host table (unless port security static aging has been enabled).

A security violation occurs if the client is authenticated, but port security table is full. This can happen if the maximum number of secure hosts have been statically configured, or if the client ages out of the secure host table. If the client's address is aged out, its place in the secure host table can be taken by another host. In this case, you should enable periodic reauthentication with a shorter time period than the port security aging time.

If the port is administratively shut down the port becomes unauthenticated and all dynamic entries are removed from the secure host table.

For more details please refer: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_13_ea1/configuration/guide/3550scg/Sw8021x.html#wp1049580

Hope that helps.

jc.saavedra
Level 1
Level 1

Thanks Moin,

 

We have to configure the port with authentication host-mode multi-domain and remove the por-security.

 

Thank you.

Sorry, somehow I missed your reply and never replied back to you. Yes, in general I try to stay away from using dot1x and port-security in the same configuration. 

Glad your issue was resolved!