Solved: Re: Switch Port-security and ISE 802.1x support

rmesquit · ‎09-11-2017

Hi team, how are you doing?

My customer recently deployed ISE 802.1x solution, but they are having a conflict between 802.1x authentication settings and the "port-security" on the Cisco IP Phone interfaces.

When "port-security mac-address sticky" setting is configured on the switch interface, the desktop mac-address goes into Drop, and only exits the Drop condition after removing the "port-security mac-address sticky" setting.

Anyone has faced the same scenario?

For some reasons, my customer needs 802.1x and port-security and, for now, this is mandatory for us to move on a huge IP Telephony deal.

Switch is a WS-C2960+24PC-L running 15.2(2)E6

Customer already opened a TAC case (683010280), but the engineer said:

dot1x not recommended to work with port-security.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-2_1_e/configuration/guide/2960_scg/sw8021x.html#pgfId-1551662

It is not recommended, but I haven't found any doc saying that it does not work. I cannot see why both features cannot work together.

Thanks.

Best regards,

Ricardo.

Craig Hyps · ‎09-11-2017

Some features may work but in general it is not recommended since may hit issues like above. Better to define the business requirement. For example, is requirement to truly limit an endpoint to a specific port, or to make sure the port is secure? Much of what port security attempts to achieve is already an inherent component in 802.1X, so no need to have both run for many use cases and why there can be conflict that causes failure.

One of the few cases where functionality from both are needed is max MAC addresses on a port. You can try to enable ONLY this setting, but may still run into problems. Certainly MAC sticky is not one of the use cases as already get MAC security in 802.1X. There are enhancement requests to support a "max macs" feature so can work with Cisco account team to add your name and impact to list. Another option is to use multi-MDA which will always restrict port to one PC (data VLAN) and one phone (Voice VLAN).

If goal is to restrict a specific device to port, this could be accomplished in ISE by defining the specific port under the endpoint record as a custom attribute and adding a condition to compare incoming NAS port to custom attribute.

Craig

View solution in original post

Craig Hyps · ‎09-11-2017

Some features may work but in general it is not recommended since may hit issues like above. Better to define the business requirement. For example, is requirement to truly limit an endpoint to a specific port, or to make sure the port is secure? Much of what port security attempts to achieve is already an inherent component in 802.1X, so no need to have both run for many use cases and why there can be conflict that causes failure.

One of the few cases where functionality from both are needed is max MAC addresses on a port. You can try to enable ONLY this setting, but may still run into problems. Certainly MAC sticky is not one of the use cases as already get MAC security in 802.1X. There are enhancement requests to support a "max macs" feature so can work with Cisco account team to add your name and impact to list. Another option is to use multi-MDA which will always restrict port to one PC (data VLAN) and one phone (Voice VLAN).

If goal is to restrict a specific device to port, this could be accomplished in ISE by defining the specific port under the endpoint record as a custom attribute and adding a condition to compare incoming NAS port to custom attribute.

Craig

rmesquit · ‎09-12-2017

Hi Craig,

thanks for your input.

This customer is a bank – one of the largest bank in Latin America – and this request is for his branches (where physical access control is more limited)

We have already tried to explain all these things to the customer, but he still says that needs both features at the same time.

The reason my customer is asking for that is:

If the switch loses connectivity with ISE, all users fall back to critical VLAN and can work. At this moment, Bradesco bank is concerned about access security and they think that “port-security sticky” achieves it…

Any other comment? Again, I do not see why both features cannot work together…

Cheers,

hslai · ‎09-12-2017

Please contact the PM team for Cisco IOS platform support, as they are switch platform features.