Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
28542
Views
17
Helpful
10
Replies

Port security and 802.1x (ISE)

Go to solution
jc.saavedra
Level 1
Level 1

‎08-29-2014 02:00 PM - edited ‎03-10-2019 09:59 PM

Hi everyone,

 

I'm implemmenting ISE in a network with Port Security enabled.

 

According the book Cisco ISE for BYOD and Secure Unified Access Port-security is not compatible with 802.1x.

 

I want to know what is the affectation of to have Port-security and 802.1x enabled on the same SW Port.

 

Someone?

 

Thanks!

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Moin Ilyas
Level 4
Level 4

‎09-02-2014 11:05 AM

Using 802.1X with Port Security

You can enable an 802.1X port for port security by using the dot1x multiple-hosts interface configuration command. You must also configure port security on the port by using the switchport port-security interface configuration command. With the multiple-hosts mode enabled, 802.1X authenticates the port, and port security manages network access for all MAC addresses, including that of the client. You can then limit the number or group of clients that can access the network through an 802.1X multiple-host port.

These are some examples of the interaction between 802.1X and port security on the switch:

When a client is authenticated, and the port security table is not full, the client's MAC address is added to the port security list of secure hosts. The port then proceeds to come up normally.

When a client is authenticated and manually configured for port security, it is guaranteed an entry in the secure host table (unless port security static aging has been enabled).

A security violation occurs if the client is authenticated, but port security table is full. This can happen if the maximum number of secure hosts have been statically configured, or if the client ages out of the secure host table. If the client's address is aged out, its place in the secure host table can be taken by another host. In this case, you should enable periodic reauthentication with a shorter time period than the port security aging time.

If the port is administratively shut down the port becomes unauthenticated and all dynamic entries are removed from the secure host table.

For more details please refer: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_13_ea1/configuration/guide/3550scg/Sw8021x.html#wp1049580

Hope that helps.

View solution in original post

10 Replies 10

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎08-29-2014 10:15 PM

There a lot of different commands, features and scenarios. Can you help us answer your question by telling us what exactly you are trying to accomplish?

0 Helpful

Go to solution
jc.saavedra
Level 1
Level 1
In response to nspasov

‎09-01-2014 07:51 AM

Hi Neno, 

 

The scenario is: on the same SW port I have configured:

interface GigabitEthernet1/0/25
 description PC Jeremias Castro
 switchport access vlan 2008
 switchport mode access
 switchport voice vlan 2108
 switchport port-security maximum 3
 switchport port-security
 switchport port-security aging time 5
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 ip arp inspection limit rate 30
 authentication event fail action next-method
 authentication event server dead action authorize vlan 2008
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 macro description Phone-Host
 dot1x pae authenticator
 dot1x timeout tx-period 3
 spanning-tree portfast

 

 

The port is configured to work with 802.1x and Port-security.

 

The question is, what is the problem if I have this config.

 

Thank you.

0 Helpful

Go to solution
Pranav Gade
Level 1
Level 1
In response to nspasov

‎09-30-2014 01:57 AM

Hi Neno,

I am also having some what similar kind off issue .

I am implementing 802.1x with port security for end user access machine with Anyconnect and ISE . Wherein some dell Laptop with docket having issue. 

Issue - If dell laptop user connect there machine with docket then port goes in error disable (laptop having connection from IP Phone)  then phone also gets disable.This only happens when then first time connect their laptop on docket

ISE Configuration - We have configured machine + user authentication with dotx method 

Switch Configuration - 

 

interface GigabitEthernetX/X
 switchport access vlan X
 switchport mode access
 switchport voice vlan X
 switchport port-security maximum 2
 switchport port-security maximum 1 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky XX.XX.XX
 switchport port-security mac-address sticky XX.XX.XX vlan voice                                      authentication event server dead action authorize vlan XX
 authentication event server alive action reinitialize
 authentication port-control auto
 authentication open                                                                                                                                  auto qos voip cisco-phone
 dot1x pae authenticator
 spanning-tree portfast
 spanning-tree bpduguard enable
end

 

Laptop model issue - Dell latitude e4310  and e6510 

 

Can anybody help me on this

 

Thanks 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Pranav Gade

‎09-30-2014 10:19 AM

In general I stay away from port-security if 802.1x is enabled. I personally don't see the benefit and IMO it only adds additional administrative overhead. In your scenario I believe the port becomes error disabled because you are exceeding the maximum allowed mac addresses, which in your configuration is 2. The reason you are exceeding this with the dock is because 99% of the time the dock also has its own mac address. So you in your scenario you end up with 3 total mac addresses on the port: One for the phone, one for the pc and one from the docking station. 

 

Thank you for rating helpful posts!

Go to solution
Pranav Gade
Level 1
Level 1
In response to nspasov

‎10-02-2014 01:06 AM

Hi Neno,

Thanks for the reply.. As we checked the port is going in error-disable with by phone mac address wherein phone is connected 24/7 and machine connects from phone.

 

Please find below logs from switch - 

 

Oct  1 09:21:11: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E906E5392F07 ======Phone MAC

Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E907E53931BF ======Laptop MAC

Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B

Oct  1 09:21:12: %DOT1X-5-SUCCESS: Authentication successful for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B

Oct  1 09:21:12: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B

Oct  1 09:21:12: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT APPLY

Oct  1 09:21:12: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPE DOT1X| EVENT IP-WAIT

Oct  1 09:21:13: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet5/30, new MAC address (e804.62eb.b435) is seen.AuditSessionID  Unassigned

Oct  1 09:21:13: %PM-4-ERR_DISABLE: security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state

Oct  1 09:21:13: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E909E53935F3

Oct  1 09:21:13: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT REMOVE

Oct  1 09:21:13: %PM-4-ERR_DISABLE: STANDBY:security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state

Can you guide us how to fix this one

 

Regards

Pranav

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Pranav Gade

‎10-02-2014 08:42 AM

Add the following command to your switchport and test again:

authentication host-mode multi-auth 

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
suporteredes
Level 1
Level 1
In response to Pranav Gade

‎03-13-2018 05:08 AM

Dude, you have port-security limiting this port for 1 mac-address, but you have IP Phone, than laptop with Docket, with 2 or maybe 3 mac-addresses in total on that port. Maybe that's the problem. What does the show log shows you?

 

You could raise the mac-address limitation from 1 to 3 and remove the static mappings...

 

 

0 Helpful

Go to solution
Moin Ilyas
Level 4
Level 4

‎09-02-2014 11:05 AM

Using 802.1X with Port Security

You can enable an 802.1X port for port security by using the dot1x multiple-hosts interface configuration command. You must also configure port security on the port by using the switchport port-security interface configuration command. With the multiple-hosts mode enabled, 802.1X authenticates the port, and port security manages network access for all MAC addresses, including that of the client. You can then limit the number or group of clients that can access the network through an 802.1X multiple-host port.

These are some examples of the interaction between 802.1X and port security on the switch:

When a client is authenticated, and the port security table is not full, the client's MAC address is added to the port security list of secure hosts. The port then proceeds to come up normally.

When a client is authenticated and manually configured for port security, it is guaranteed an entry in the secure host table (unless port security static aging has been enabled).

A security violation occurs if the client is authenticated, but port security table is full. This can happen if the maximum number of secure hosts have been statically configured, or if the client ages out of the secure host table. If the client's address is aged out, its place in the secure host table can be taken by another host. In this case, you should enable periodic reauthentication with a shorter time period than the port security aging time.

If the port is administratively shut down the port becomes unauthenticated and all dynamic entries are removed from the secure host table.

For more details please refer: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_13_ea1/configuration/guide/3550scg/Sw8021x.html#wp1049580

Hope that helps.

Go to solution
jc.saavedra
Level 1
Level 1

‎09-04-2014 05:56 AM

Thanks Moin,

 

We have to configure the port with authentication host-mode multi-domain and remove the por-security.

 

Thank you.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to jc.saavedra

‎09-30-2014 10:20 AM

Sorry, somehow I missed your reply and never replied back to you. Yes, in general I try to stay away from using dot1x and port-security in the same configuration. 

Glad your issue was resolved! 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents