12-22-2013 10:13 PM - edited 03-10-2019 09:12 PM
Hi all,
few questions on authenticator NAD (example: switch) to support on these items
01. desktop switches, how we can enable other switch to plug in and extend the network? What is this deal with Network Edge Access Topology (NEAT)?
what must configure on ISE policy node, authenticator switch and the new plug in extended switch?
02. How and what need to do on authenticator switch and ISE on these:
a. MAC Replace
b. MAC Move
Thanks
Noel
12-24-2013 12:56 AM
mac replace -
mac move -
Before you consider NEAT -
If you are using a dumb switch you can enable multi-auth so that all mac addresses forwarded up to the switch port are authenticated, dynamic vlan assignment is not a scalable solution for this solution since you can only assign the first authenticated mac address to the dynamic vlan, others either inherit the vlan or error disable the port (I can't recall), but it is documented.
NEAT is only supported on a few access or distribution switches, so make sure you follow the release notes to see if you platform supports this design.
ISE policy node - must have the av-pair of device-traffic-class=switch to be configured to dynamically convert the authenticator's port over to a trunk port. Your design depends on either MAB or dot1x to succeed for this av-pair to be triggered in your authorization policy...i.e. profiled endpoint group or a user group with the credentials mapped to a user group or both.
Authenticator switch - must allow radius authentication, authorization, and for proper license tracking an accounting.
Client switch - credentials (see reference guides and config examples), forward traffic to trigger mab if dot1x is not part of this solution.
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide