Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2429
Views
20
Helpful
6
Replies

802.1x on Cisco ASA 5516

Go to solution
MohammadKayed
Level 1
Level 1

‎08-12-2020 11:54 PM

Hello,

I have switched configured with 802.1x to run as authenticator.

In one of the ports I would like to add Cisco ASA as supplicant and keep 802.1x enabled.

So the question is , can I add a username and password on the ASA so it will authenticate itself with the switch ? if no what is the best replacement for such approach ? - (I am thinking of port security for the MAC address).

Thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-13-2020 12:51 AM

i would not advise that approach that is not best practice, rather i suggest remove those ports connected to ASA normal Access port or Por-channel with oput any .1X kind of stuff.

 

ASA itself is a security device so that security can be take care, and this is not access port where user can plug any device, these devices are located in secure area, where it was protected from other users.

 

if you like you can do sticky for that ports - but not required my point of view.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎08-13-2020 12:06 AM

Hi,
No the ASA doesn't support 802.1x. Port Security and 802.1x is not supported together (not enabled on the same interface at least).

What RADIUS server are you using? If ISE you could configure MAB, to limit authentication of that interface to the ASA's MAC address.

HTH

Go to solution
MohammadKayed
Level 1
Level 1
In response to Rob Ingram

‎08-13-2020 12:48 AM

Thank you for your replay.

I am thinking of port security as a replacement of 802.1x in case its not supported as Plan b.
yes I do have ISE .
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MohammadKayed

‎08-13-2020 01:05 AM

Whilst you can configure MAB or Port security, I've never seen this done on core infrastructure devices such as the firewall. Plugging the ASA into a port that could potentially err-disable or rely on a RADIUS server to be authenticated, could potentially lead to an outage.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-13-2020 12:51 AM

i would not advise that approach that is not best practice, rather i suggest remove those ports connected to ASA normal Access port or Por-channel with oput any .1X kind of stuff.

 

ASA itself is a security device so that security can be take care, and this is not access port where user can plug any device, these devices are located in secure area, where it was protected from other users.

 

if you like you can do sticky for that ports - but not required my point of view.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
MohammadKayed
Level 1
Level 1
In response to balaji.bandi

‎08-14-2020 04:44 AM

Thank you for the replay.

- But as mentioned .1x is not supported on the ASA at the first place , actually there is a distance between the ASA and the switches due to that I am looking for a method to make sure my traffic will be secured ( I have critical devices behind the switches ) , I might go VPN tunnel and have one Firewall next to the switch and another one in my main site.
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-22-2020 02:16 AM

yes VPN is the Good option, or if switches support you can do MACSEC switch to switch Layer 2

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card