Multiple macs

benolyndav · ‎02-01-2024

Hi

We have a 3rd party system for Heating etc and have noticed since we migrated to SD Access that now when a edge port sees several mac addresses that they are blocked I see this on ISE, the 3rd party use somesort of hub to connect their devices then the hub to the SDA, Is there anythingg I can do to resolve this issue please.??

Thanks

andy!doesnt!like!uucp · ‎02-01-2024

hi
if u have ports configured for multi-auth then just authorize blocked endpoints (MACs) on the ISE.
if u have multi-domain or single you have no chances to authorize more than 1 endpoint w/o switching to multi-auth:

benolyndav · ‎02-05-2024

Hi

Ours is the same but with single host, hardcoding the port to open should be ok thats unlimited ? would I also need to allow on ISE still even with port hardcoded to open ?

Thanks

andy!doesnt!like!uucp · ‎02-05-2024

no. open mode wont allow more endpoints than host-mode allows. But Auth template is port-granular. u can assign multi-auth (unlimited in DNAC's terms) to this single port. & u have to authorize on ISE all needed MACs appearing behind the port. Talk on last topic with system owner.

benolyndav · ‎02-29-2024

Hi

Thanks for that Ihave applied open auth template which allows multi mac, but I still see a security violation on DNAC, any ideas.?

Also when you mention multi auth are you just meaning Number oh Hosts (unlimited) in the open template.?

Thanks

jedolphi · ‎02-29-2024

Do you need authentication on the SD-Access port? If no, configure the port to no authentication and all MAC addresses and IPv4 addresses will be allowed to transit the port, assuming there is one IPv4 address per MAC address, as opposed to multiple IPv4 addresses per MAC address.

If you do need authentication on the port then you could load all of the endpoints MAC addresses into an ISE MAB database and permit each MAC address into the network via ISE MAB policy.

If the endpoints support 802.1X then they will all need a supplicant and valid credentials, AND the 3rd party hub between SD-Access and the devices will need to support EAPoL passthrough, which most do not (making this the least recommended approach).

andy!doesnt!like!uucp · ‎03-04-2024

"u have to authorize on ISE all needed MACs appearing behind the port".
meaning configure ISE to return AccessAccept for each & every MAC u can see behind the port. did u do this?

andy!doesnt!like!uucp · ‎03-04-2024

Open Auth template in DNAC means there will be no "access-session closed" command in interface template deployed to port. Meaning the switch will ignore authentication failure for the endpoint behind the port. But switch still apply Authorization result & if it's AccessReject endpoint wont obtain connectivity. Nevertheless , your next action is to configure policy on the ISE (or reuse existing one) in such a manner that switch-authenticator receives AccessAccept as Authorization result for the endpoint behind port. details may vary depending on endpoint. u better ask ISE-admin for the help.

jedolphi · ‎02-13-2024

If you're feeling ambitious you could test interface template + CLI "access-session host-mode multi-host peer". Minimum IOS XE version 17.9. I use that capability to authenticate Meraki AP on Edge Node switch port, but not the wireless clients behind the Meraki AP. Details can be found in this presentation: https://www.ciscolive.com/on-demand/on-demand-library.html?zid=pp&search=brkens-2819#/session/1701824107584001ns2V