You have a couple of options. The easy thing would be to do port security on the physical interface. However, port security & 8021x typically are not the best when playing together and in my opinion most people would say not to use both together. You could have your policy server deploy policy as you would with ISE or ACS. I think in order to meet your requirement you could eliminate relying on ISE/ACS and statically configure your one port for you one host with whatever policy you want to include vlan etc. You could then configure the other ports on the switch to use policy from AAA server & ensure the one host you do not want to migrate is not a part of any groups on the AAA server so even if the host moved from one interface to another it would fail authentication/authorization and no longer be on the network.
You have a couple of options. The easy thing would be to do port security on the physical interface. However, port security & 8021x typically are not the best when playing together and in my opinion most people would say not to use both together. You could have your policy server deploy policy as you would with ISE or ACS. I think in order to meet your requirement you could eliminate relying on ISE/ACS and statically configure your one port for you one host with whatever policy you want to include vlan etc. You could then configure the other ports on the switch to use policy from AAA server & ensure the one host you do not want to migrate is not a part of any groups on the AAA server so even if the host moved from one interface to another it would fail authentication/authorization and no longer be on the network.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
