Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
862
Views
1
Helpful
11
Replies

ISE and switch connected to floorbox socket

Tibor M
Level 1
Level 1

‎08-19-2025 01:49 AM - edited ‎08-19-2025 01:53 AM

Hi,

I have following situation:

  • ISE 3.4 Patch 3
  • Access switch for floor boxes sockets WS-C2960X-48LPS-L with 15.2(7)E10
  • 2 Access switches for lab IP phones (96 phones) WS-C3560X-48P with 15.2(4)E3 - connected to public floor box socket and there is TRUNK with 2 allowed VLANs between these switches and switches cabled to floor box sockets (line above) and these switches have 1 SVI for management (as there is not enough floor box sockets to use management port)

I know this is not the best how to do it, but this lab must be public accessible and there is no other way how to connect 96 phones and their switches to core switches in server room physically securely. I also know switches are EOS, just ignore it, they are working.

The thing is that I we are security all floor box sockets with ISE. The problem I have is that IP hones switches have old IOS and does not support TLS1.2 for dot1x. So only way how to use EAP supplicant is to allow TLS1.0 on ISE. If I use MAB, then all IP phones are authenticated twice - first on their access switch in lab, second on parent access switch in server room (where all floor boxes sockets are cabled).

I do not know how to do it secure with current equipment. If keep only MAB on that floor box sockets in lab and disable dot1x EAP, or rather allow TLS1.0 on ISE and use dot1x EAP-FAST on IP phones switch and disable MAB on floor box switch. I was also looking into policies sets, that I do not know how to create condition for policy set as "Normalised Radius·RadiusFlowType == Wired802_1x && TLSVersion == TLSv1" - there is nothing like TLSVersion in possible options and do not know how to use it, even in Live Log is visible in Other Attributes.

Thanks

 

Labels:
0 Helpful
11 Replies 11

MHM Cisco World
VIP
VIP

‎08-19-2025 01:53 AM

Sorry I dont get your request 

But 

SW to SW you can use MACSec 

Phone to network you can use 802.1x and/or mab 

MHM

0 Helpful

Tibor M
Level 1
Level 1
In response to MHM Cisco World

‎08-19-2025 01:56 AM

Let me clarify it. I want to know opinions how to secure Access Switch in server room, which is physically cabled to floor box sockets. So if anybody come to that LAB room and disconnect access switch (used for IP phones) from floor box sockets, so floor box socket will be stills secured by ISE and nobody unauthorized can use it.

MHM Cisco World
VIP
VIP
In response to Tibor M

‎08-19-2025 02:07 AM

MAB or 802.1x use only in SW direct connect to endpoint

I.e. this need to use in cat3500 series 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to Tibor M

‎08-19-2025 02:14 AM

You need Access SW run as supplicant?

MHM

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-19-2025 02:55 AM

This sounds like a use case for NEAT (Network Edge Authentication Technology). Have a look at this reference to see if it addresses your requirement and concerns:

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-286005059

0 Helpful

bonniefr
Level 1
Level 1

‎08-19-2025 03:13 AM

It looks like the ISE and switch are connected to the floorbox sockets, please check the wiring and ensure the configuration is correct.

0 Helpful

Tibor M
Level 1
Level 1

‎08-19-2025 06:03 AM

hope this screenshot help to understand what I'm trying to solve. I do not know if there is other way than using MAB only multi-auth on that socket (where each phone is authenticated twice - switches in lab and then in server room due MAB and multi-auth), or rather allow TLSv1.0 on ISE and configure switches in phone lab as supplicant (they are old, no TLSv1.2 on them).

schema.png

0 Helpful

MHM Cisco World
VIP
VIP
In response to Tibor M

‎08-19-2025 06:41 AM

You need to authc endpoints connect to access SW ?

If access SW have UP mgmt interface can connect to ISE then access SW can authc the endpoints' and after these endpoints authc it can access network' i.e. checkpoint need close to endpoint and after this checkpoint ypu can go wherever you want.

MHM

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Tibor M

‎08-19-2025 08:49 AM

Did you look at the link I shared regarding NEAT setup? With that, the access switch in the server room authenticates the switch connected to the floor box socket. That switch in turn is the network access device passing requests to ISE to authenticate the IP phones (with MAB). If anything else is plugged directly into a floor box socket, it authenticates via the server room switch. No TLS 1.0 is used and the phones should only ever appear in authentication sessions of the switch they are directly plugged into.

0 Helpful

Tibor M
Level 1
Level 1
In response to Marvin Rhoads

‎08-19-2025 11:14 AM

@Marvin Rhoads yes, looks it is what I need. I have to study it more, I'm still beginner with ISE.

Also you are all more experienced, so can anybody tell me where to look for if I want to make Policy condition based on any attribute from live log "Other attributes" section on ISE 3.4?

0 Helpful

MHM Cisco World
VIP
VIP
In response to Tibor M

‎08-19-2025 11:18 AM

Sorry continue with @Marvin Rhoads

Let him help you to config ISE to authc SW connect to other SW

Goodluck 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card