Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE question on desktop switches, MAC replace, MAC move

Hi all,

few questions on authenticator NAD (example: switch) to support on these items

01. desktop switches, how we can enable other switch to plug in and extend the network? What is this deal with Network Edge Access Topology (NEAT)?

what must configure on ISE policy node, authenticator switch and the new plug in extended switch?

02. How and what need to do on authenticator switch and ISE on these:

a. MAC Replace

b. MAC Move   

Thanks

Noel

1 REPLY

ISE question on desktop switches, MAC replace, MAC move

mac replace -

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1143287

mac move -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1481527

Before you consider NEAT -

If you are using a dumb switch you can enable multi-auth so that all mac  addresses forwarded up to the switch port are authenticated, dynamic  vlan assignment is not a scalable solution for this solution since you  can only assign the first authenticated mac address to the dynamic vlan,  others either inherit the vlan or error disable the port (I can't  recall), but it is documented.

NEAT is only supported on a few access or distribution switches, so make sure you follow the release notes to see if you platform supports this design.

ISE policy node - must have the av-pair of device-traffic-class=switch to be configured to dynamically convert the authenticator's port over to a trunk port. Your design depends on either MAB or dot1x to succeed for this av-pair to be triggered in your authorization policy...i.e. profiled endpoint group or a user group with the credentials mapped to a user group or both.

Authenticator switch - must allow radius authentication, authorization, and for proper license tracking an accounting.

Client switch - credentials (see reference guides and config examples), forward traffic to trigger mab if dot1x is not part of this solution.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
233
Views
0
Helpful
1
Replies
CreatePlease login to create content