Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
5
Helpful
2
Replies

802.1x: Questions about "host-mode multi-auth" flexability

Nadav
Level 7
Level 7

‎11-11-2021 01:49 AM - edited ‎11-11-2021 02:20 AM

Hi,

 

I am interested in the following scenarios for a system with ISE as the authentication server:

 

1) There are 2 endpoints attached to a single interface configured for 802.1x. Both require 802.1x authentication (EAP-TLS)

2) There are 3 endpoints attached to a single interface configured for 802.1x. Two require 802.1x authentication (EAP-TLS), one doesn't support 802.1x

 

A) For scenario 1, is it possible to configure the port so that only if both endpoints are authenticated the port is active?

B) For scenario 2, is it possible to configure the port so that only if both endpoints are authenticated the port is active, even though there is a third MAC on that port that can't be authenticated via 802.1x? 

C) If there is a separate command to do this if multi-auth isn't suitable, I'd appreciate it if you could tell me more about it.

 

I ask because I can't find any CLI command which deals with which or how many endpoints must be authenticated if you use multi-auth. At present I'm not using IBNS 2.0, and if possible I'd like to keep it that way, but if necessary for this use-case it would definitely be considered.

 

Thanks for your time.

Labels:
0 Helpful
2 Replies 2

pieterh
VIP
VIP

‎11-11-2021 07:35 AM

A) and B) no, AFAIK you cannot configure a number how many devices need to be authenticated to "open" the port

you have either:
- single auth , to open the port
   if you connect multiple devices to this port using a hub (if you still have any)
   the first authenticated device opens the port for all connected devices

- multi auth
   ALL hosts need to authenticate individually
   if you have non-dot1x clients you need to authenticate those clients using MAB

 

a question throws up, how do you want to connect three devices to a single switch-port?
if you add an extra switch to add more ports, authentication should be done at those switchports, not on the interconnecting link
if this is a dumb switch then of course this is not possible, you need something different
you need to authenticate this dumb switch using MAB and all connected devices to this authenticated switch will be allowed
(which may be unwanted ?)

 

 

Nadav
Level 7
Level 7
In response to pieterh

‎11-11-2021 11:02 AM

Hi,

 

We have devices which are chained on that switchport by design, and the demand is to authenticate both devices who support 802.1x.

 

Assuming the case of two devices on the switchport, each supporting 802.1x, how can the port remain closed until both are authenticated? What's stopping the port from opening after the first authencation by any of the devices? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card