Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
1
Replies

ISE question on desktop switches, MAC replace, MAC move

yong khang NG
Level 5
Level 5

‎12-22-2013 10:13 PM - edited ‎03-10-2019 09:12 PM

Hi all,

few questions on authenticator NAD (example: switch) to support on these items

01. desktop switches, how we can enable other switch to plug in and extend the network? What is this deal with Network Edge Access Topology (NEAT)?

what must configure on ISE policy node, authenticator switch and the new plug in extended switch?

02. How and what need to do on authenticator switch and ISE on these:

a. MAC Replace

b. MAC Move   

Thanks

Noel

Labels:
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎12-24-2013 12:56 AM

mac replace -

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1143287

mac move -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1481527

Before you consider NEAT -

If you are using a dumb switch you can enable multi-auth so that all mac  addresses forwarded up to the switch port are authenticated, dynamic  vlan assignment is not a scalable solution for this solution since you  can only assign the first authenticated mac address to the dynamic vlan,  others either inherit the vlan or error disable the port (I can't  recall), but it is documented.

NEAT is only supported on a few access or distribution switches, so make sure you follow the release notes to see if you platform supports this design.

ISE policy node - must have the av-pair of device-traffic-class=switch to be configured to dynamically convert the authenticator's port over to a trunk port. Your design depends on either MAB or dot1x to succeed for this av-pair to be triggered in your authorization policy...i.e. profiled endpoint group or a user group with the credentials mapped to a user group or both.

Authenticator switch - must allow radius authentication, authorization, and for proper license tracking an accounting.

Client switch - credentials (see reference guides and config examples), forward traffic to trigger mab if dot1x is not part of this solution.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents