Dot1x authentication host-mode multi-host

Ahmed Gad · ‎10-23-2017

Hi,

there is a need to NAC port connected to flexconnect AP, so the only host-mode port configuration that i can use is multi-host so AP is authenticated and then any authenticated client connect to that AP can have access to the network. and AP will switch each SSID to its corresponding VLAN on the trunk port

Since this port is trunk port with native VLAN, if i connect legitimate voip phone to this port and it get authenticated it will get access to the native vlan even if switch receive "device-traffic-class=voice" from radius server because voice vlan not support on trunk port, the bigger problem is that if some one attach PC to the computer port on that phone it will get full access to port without authentication, Is there is a way to prevent that ? or any alternative solution to NAC port connected to flexconnect AP

Karsten Iwen · ‎10-24-2017

You are addressing the problem in the wrong way:

dot1x is only for access-ports, not for trunk-ports.
You start with an access-port-config that can include a voice-VLAN and everything you need.
The AP authenticates with 802.1x and the ISE returns an authorization-profile that includes the option "NEAT". With that, the port gets reconfigured to trunk and your clients can use different VLANs. When the AP is disconnected the port reverts to an access port.

Ahmed Gad · ‎10-25-2017

Could you please share a configuration on how to turn the port connect to AP to trunk using the NEAT option ?

that will solve one part of the issue but there still the other part is that we need to use multi-host authentication so that only authenticate AP and not the clients connected to it , which will open the door for anyone connect to iphone to have access without authentication do you have a solution for that as well ?