11-11-2021 01:49 AM - edited 11-11-2021 02:20 AM
Hi,
I am interested in the following scenarios for a system with ISE as the authentication server:
1) There are 2 endpoints attached to a single interface configured for 802.1x. Both require 802.1x authentication (EAP-TLS)
2) There are 3 endpoints attached to a single interface configured for 802.1x. Two require 802.1x authentication (EAP-TLS), one doesn't support 802.1x
A) For scenario 1, is it possible to configure the port so that only if both endpoints are authenticated the port is active?
B) For scenario 2, is it possible to configure the port so that only if both endpoints are authenticated the port is active, even though there is a third MAC on that port that can't be authenticated via 802.1x?
C) If there is a separate command to do this if multi-auth isn't suitable, I'd appreciate it if you could tell me more about it.
I ask because I can't find any CLI command which deals with which or how many endpoints must be authenticated if you use multi-auth. At present I'm not using IBNS 2.0, and if possible I'd like to keep it that way, but if necessary for this use-case it would definitely be considered.
Thanks for your time.
11-11-2021 07:35 AM
A) and B) no, AFAIK you cannot configure a number how many devices need to be authenticated to "open" the port
you have either:
- single auth , to open the port
if you connect multiple devices to this port using a hub (if you still have any)
the first authenticated device opens the port for all connected devices
- multi auth
ALL hosts need to authenticate individually
if you have non-dot1x clients you need to authenticate those clients using MAB
a question throws up, how do you want to connect three devices to a single switch-port?
if you add an extra switch to add more ports, authentication should be done at those switchports, not on the interconnecting link
if this is a dumb switch then of course this is not possible, you need something different
you need to authenticate this dumb switch using MAB and all connected devices to this authenticated switch will be allowed
(which may be unwanted ?)
11-11-2021 11:02 AM
Hi,
We have devices which are chained on that switchport by design, and the demand is to authenticate both devices who support 802.1x.
Assuming the case of two devices on the switchport, each supporting 802.1x, how can the port remain closed until both are authenticated? What's stopping the port from opening after the first authencation by any of the devices?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide