cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1016
Views
0
Helpful
10
Replies

Macro for 802.1x interface with multiple hosts

Koldts
Level 1
Level 1

Hello!

I hope someone with better understanding is able to help me with this problem we have.

We want to be fully 802.1x compliant on all switches, and the last thing we need is for Macros to work on interfaces with multiple MAC addresses behind (like a switch). I have working macros for Trunk AP's, but when there is 2 or more MAC addresses on an interface ISE is not fast enough to push the authentication before the MAC flaps to the other one.

Mar 8 11:10:06: %SESSION_MGR-5-SECURITY_VIOLATION: Switch 1 R0/0: sessmgrd: Security violation on the interface FiveGigabitEthernet1/0/13, new MAC address (MAC1) is seen. AuditSessionID Unassigned
Mar 8 11:10:06: %SESSION_MGR-5-MACREPLACE: Switch 1 R0/0: sessmgrd: MAC address (MAC2) on Interface FiveGigabitEthernet1/0/13 is replaced by MAC (MAC1) AuditSessionID FB09E70A000000891D8A890F

 

My working macro for AP trunk and also my 802.1x is this:

macro auto execute MACRO-NAME {
if [[ $LINKUP == YES ]]
then conf t
default interface $INTERFACE
interface $INTERFACE
description WIRELESS-TRUNK
macro description $TRIGGER
macro auto processing
switchport mode trunk
switchport trunk native vlan VLANID
switchport trunk allowed vlan VLANIDs
spanning-tree portfast trunk
exit
fi
if [[ $LINKUP == NO ]]
then conf t
default interface $INTERFACE
interface $INTERFACE
description 802.1x
switchport mode access
authentication event fail action authorize vlan VLANID
authentication event server dead action authorize vlan VLANID
authentication event no-response action authorize vlan VLANID
authentication event server alive action reinitialize
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 15
spanning-tree portfast
exit
fi
}

 

I don't think we want Multi-host or Multi-auth, as we don't want multiple MACs on interfaces without using macros.

10 Replies 10

Max Jobs
Level 1
Level 1

Hi Koldts,

I'm not sure but i think enabling multi-host mode does have security implications, as it allows multiple devices to connect to the same switch port. But if you OK with it, here is a edit to your macro:

if [[ $LINKUP == NO ]]
then
    conf t
    default interface $INTERFACE
    interface $INTERFACE
    description 802.1x
    switchport mode access
    authentication event fail action authorize vlan VLANID
    authentication event server dead action authorize vlan VLANID
    authentication event no-response action authorize vlan VLANID
    authentication event server alive action reinitialize
    authentication order mab dot1x
    authentication priority mab dot1x
    authentication port-control auto
    authentication violation replace
    dot1x pae authenticator
    dot1x timeout quiet-period 3
    dot1x timeout tx-period 15
    spanning-tree portfast
    dot1x multi-host
    exit

Look at the end of macro, by adding the dot1x multi-host command, we're enabling multi-host mode on the interface, which should allow multiple MAC addresses to be authenticated independently.

Hope it work : D

Hey Moein

Yeah we would not want that, as i stated in the last line of my post, we don't want multiple MACs on interfaces without using macros.

The 802.1x configuration would need to be universal on all our ports in our organization.

nict
Level 1
Level 1

Hi Koldts,

You have some different options to choose between:

  • Single-host (Default) = Only 1 MAC address allowed on your interface.
  • Multi-host = First MAC adress only will be authenticated to ISE. If it is allowed, all other MAC adresses will also be allowed.
  • Multi-domain = You are able to have 1 device on data and 1 device on Voice (Typically IP Phone + PC setup)
  • Multi-Auth = Each MAC address will individually get authenticated to ISE.

Single-host implies that only one MAC address is allowed on your interface, which courses some problems when you are connecting another a switch or connecting an AP to your port (Or generally just an trunk port where you see more than one MAC address).

To answer your question, it really depends on how your Wireless Setup is configured. If you are doing CAPWAP to tunnel everything to your WLC, then single-host would actually be enough, but since you are seen more than 1 MAC address on your port which has the AP connected, I suppose you are running Flex-Connect and having some local switching for some vlans?

If that is the case, you have the options to choose between Multi-host or Multi-Auth.

If you have configured 802.1x on your SSID's on your WLC, Multi-host would be just enough, since your WLC would send the authentication requests towards ISE (If configured) - Since Multi-auth would actually do a double authentication.

Hello nict.

 

Thanks for the reply, but my problem is with a switch and not AP's. We already have a working macro for our Flexconnect AP's that will get reconfigured to a trunk port when ISE detects the AP's MAC address.

Our network is setup as:

CORE -> DIST -> ACCESS. But we have 3 auditoriums on one location where their AV Switches doesn't link up to our DIST switch. So it's CORE -> DIST -> ACCESS -> AV.

We want to be fully compliant with 802.1x ports on all our Access switches and therefore not having any static trunk port configured to these AV switches, as we have now. What i would like to do is for ISE to authenticate the AV Switch, so it will be hit with a macro to turn the port it is connected to into a trunk port.

But this is not possible as of now as the macro (or ISE) is taking to long to authenticate, and in the meantime our Access switch sees another MAC on the port where the AV Switch is connected, and then it flaps between the lot.

What i would like to do/know is, if there is somehow a way to make the ISE macro hit faster when seeing the MAC address of the switch the first time before flapping. But i doubt it can be done.

Aha, that is something else.

Any partical reason why you want 802.1x configured between your Access Switch <-> AV Switch?

Normally 802.1x is used for securing your edge ports.

If your switches are locked into a cabinet, I would not be afraid to make the ports as a static trunk.

 

Edit:

I have seen this problem quite often. I am working at a customer, who have switches placed on the tables where people are working, because the building is listed and therefor they are having trouble changing the infrastructure of the building itself.

The solution is to have those switches on tables for people to connect via wire. The problem is as yours, that some other MAC address will be authenticated first and not the switch itself.

A workaround is, to make the switch static trunk, login to the switch (AV switch in your example) and close all ports except the uplink. Enable 802.1x again on the port and then switch will be authenticated correct. Login to the AV switch again and enable all ports.

 

From my partical knowledge, I have therefore no good permanent solution to your problem, if you want to authenticate your AV switches with 802.1x and macros.

All our switches are locked where users can't reach them. But the problem is we’re 2 Network guys in this organization and we have 11 sites, so having as much idiot proof ports as possible is what we want. Just last week i had to go to the site having our 3 auditoriums because someone put the A/V Switch uplink port into the wrong drop in the wall, so nothing worked.

It is also a matter of security. So a random person won't be able to plug his PC into the Trunk, and then get access to whatever VLANs are on that trunk.

We could get rid of the A/V Switches but that would be a huge electrician bill. Therefore i'm searching for a workaround and i hoped it would work with macros as it does with our Flexconnect AP's.


@Koldts wrote:

All our switches are locked where users can't reach them. But the problem is we’re 2 Network guys in this organization and we have 11 sites, so having as much idiot proof ports as possible is what we want. Just last week i had to go to the site having our 3 auditoriums because someone put the A/V Switch uplink port into the wrong drop in the wall, so nothing worked.

It is also a matter of security. So a random person won't be able to plug his PC into the Trunk, and then get access to whatever VLANs are on that trunk.

We could get rid of the A/V Switches but that would be a huge electrician bill. Therefore i'm searching for a workaround and i hoped it would work with macros as it does with our Flexconnect AP's.



This does not add up to me. How can someone mess with the uplink from your AV switch if it is locked up?

If some random person actually has physical access to your equipment to plug his PC into the switch, I would rest my case that the port security would not fix the problem.

I am sorry for the confusion. All our Access Switches at locked, the A/V switches are not. The uplink from the A/V switch to the Access switch is through a drop in the wall behind the rolling rack the A/V is mounted in. Someone unplugged the drop in the wall and put it into another drop that was 802.1x instead of the trunk port.

@andrewswansonI did not know about interface templates, i will look into that in the morning.

This link may help if you are looking at interface templates for authorization:

https://community.cisco.com/kxiwq67737/attachments/kxiwq67737/4561-docs-security/5607/1/ise_neat-w-int-template.pdf

hth

Andy

Hi

Do your switches support Interface Templates? It could be worth investigating if the authorization process is quicker if ISE specifies an interface template rather than a macro.

hth

Andy

 

Review Cisco Networking for a $25 gift card