02-01-2024 12:28 AM
Hi
We have a 3rd party system for Heating etc and have noticed since we migrated to SD Access that now when a edge port sees several mac addresses that they are blocked I see this on ISE, the 3rd party use somesort of hub to connect their devices then the hub to the SDA, Is there anythingg I can do to resolve this issue please.??
Thanks
02-01-2024 01:25 AM
hi
if u have ports configured for multi-auth then just authorize blocked endpoints (MACs) on the ISE.
if u have multi-domain or single you have no chances to authorize more than 1 endpoint w/o switching to multi-auth:
02-05-2024 08:51 AM
Hi
Ours is the same but with single host, hardcoding the port to open should be ok thats unlimited ? would I also need to allow on ISE still even with port hardcoded to open ?
Thanks
02-05-2024 09:25 AM - edited 02-05-2024 09:26 AM
no. open mode wont allow more endpoints than host-mode allows. But Auth template is port-granular. u can assign multi-auth (unlimited in DNAC's terms) to this single port. & u have to authorize on ISE all needed MACs appearing behind the port. Talk on last topic with system owner.
02-29-2024 02:53 AM - edited 02-29-2024 04:09 AM
Hi
Thanks for that Ihave applied open auth template which allows multi mac, but I still see a security violation on DNAC, any ideas.?
Also when you mention multi auth are you just meaning Number oh Hosts (unlimited) in the open template.?
Thanks
02-29-2024 06:21 PM
Do you need authentication on the SD-Access port? If no, configure the port to no authentication and all MAC addresses and IPv4 addresses will be allowed to transit the port, assuming there is one IPv4 address per MAC address, as opposed to multiple IPv4 addresses per MAC address.
If you do need authentication on the port then you could load all of the endpoints MAC addresses into an ISE MAB database and permit each MAC address into the network via ISE MAB policy.
If the endpoints support 802.1X then they will all need a supplicant and valid credentials, AND the 3rd party hub between SD-Access and the devices will need to support EAPoL passthrough, which most do not (making this the least recommended approach).
03-04-2024 09:27 AM
"u have to authorize on ISE all needed MACs appearing behind the port".
meaning configure ISE to return AccessAccept for each & every MAC u can see behind the port. did u do this?
03-04-2024 09:35 AM
Open Auth template in DNAC means there will be no "access-session closed" command in interface template deployed to port. Meaning the switch will ignore authentication failure for the endpoint behind the port. But switch still apply Authorization result & if it's AccessReject endpoint wont obtain connectivity. Nevertheless , your next action is to configure policy on the ISE (or reuse existing one) in such a manner that switch-authenticator receives AccessAccept as Authorization result for the endpoint behind port. details may vary depending on endpoint. u better ask ISE-admin for the help.
02-13-2024 02:43 PM
If you're feeling ambitious you could test interface template + CLI "access-session host-mode multi-host peer". Minimum IOS XE version 17.9. I use that capability to authenticate Meraki AP on Edge Node switch port, but not the wireless clients behind the Meraki AP. Details can be found in this presentation: https://www.ciscolive.com/on-demand/on-demand-library.html?zid=pp&search=brkens-2819#/session/1701824107584001ns2V
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide