08-19-2025 01:49 AM - edited 08-19-2025 01:53 AM
Hi,
I have following situation:
I know this is not the best how to do it, but this lab must be public accessible and there is no other way how to connect 96 phones and their switches to core switches in server room physically securely. I also know switches are EOS, just ignore it, they are working.
The thing is that I we are security all floor box sockets with ISE. The problem I have is that IP hones switches have old IOS and does not support TLS1.2 for dot1x. So only way how to use EAP supplicant is to allow TLS1.0 on ISE. If I use MAB, then all IP phones are authenticated twice - first on their access switch in lab, second on parent access switch in server room (where all floor boxes sockets are cabled).
I do not know how to do it secure with current equipment. If keep only MAB on that floor box sockets in lab and disable dot1x EAP, or rather allow TLS1.0 on ISE and use dot1x EAP-FAST on IP phones switch and disable MAB on floor box switch. I was also looking into policies sets, that I do not know how to create condition for policy set as "Normalised Radius·RadiusFlowType == Wired802_1x && TLSVersion == TLSv1" - there is nothing like TLSVersion in possible options and do not know how to use it, even in Live Log is visible in Other Attributes.
Thanks
08-19-2025 01:53 AM
Sorry I dont get your request
But
SW to SW you can use MACSec
Phone to network you can use 802.1x and/or mab
MHM
08-19-2025 01:56 AM
Let me clarify it. I want to know opinions how to secure Access Switch in server room, which is physically cabled to floor box sockets. So if anybody come to that LAB room and disconnect access switch (used for IP phones) from floor box sockets, so floor box socket will be stills secured by ISE and nobody unauthorized can use it.
08-19-2025 02:07 AM
MAB or 802.1x use only in SW direct connect to endpoint
I.e. this need to use in cat3500 series
MHM
08-19-2025 02:14 AM
You need Access SW run as supplicant?
MHM
08-19-2025 02:55 AM
This sounds like a use case for NEAT (Network Edge Authentication Technology). Have a look at this reference to see if it addresses your requirement and concerns:
08-19-2025 03:13 AM
It looks like the ISE and switch are connected to the floorbox sockets, please check the wiring and ensure the configuration is correct.
08-19-2025 06:03 AM
hope this screenshot help to understand what I'm trying to solve. I do not know if there is other way than using MAB only multi-auth on that socket (where each phone is authenticated twice - switches in lab and then in server room due MAB and multi-auth), or rather allow TLSv1.0 on ISE and configure switches in phone lab as supplicant (they are old, no TLSv1.2 on them).
08-19-2025 06:41 AM
You need to authc endpoints connect to access SW ?
If access SW have UP mgmt interface can connect to ISE then access SW can authc the endpoints' and after these endpoints authc it can access network' i.e. checkpoint need close to endpoint and after this checkpoint ypu can go wherever you want.
MHM
08-19-2025 08:49 AM
Did you look at the link I shared regarding NEAT setup? With that, the access switch in the server room authenticates the switch connected to the floor box socket. That switch in turn is the network access device passing requests to ISE to authenticate the IP phones (with MAB). If anything else is plugged directly into a floor box socket, it authenticates via the server room switch. No TLS 1.0 is used and the phones should only ever appear in authentication sessions of the switch they are directly plugged into.
08-19-2025 11:14 AM
@Marvin Rhoads yes, looks it is what I need. I have to study it more, I'm still beginner with ISE.
Also you are all more experienced, so can anybody tell me where to look for if I want to make Policy condition based on any attribute from live log "Other attributes" section on ISE 3.4?
08-19-2025 11:18 AM
Sorry continue with @Marvin Rhoads
Let him help you to config ISE to authc SW connect to other SW
Goodluck
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide