Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
3
Helpful
5
Replies

802.1x in a multi-domain environment sharing common distribution

Go to solution
robert.lorrison
Level 1
Level 1

‎07-11-2023 10:01 AM

Greetings,

I'm trying to figure out how best to implement 802.1x port-based authentication on a network that supports multiple tenants.  We control the distribution and access switches with clients connecting to multiple domains on different networks.  Because this is a validation and testing environment, everyone is going to eventually require their own RADIUS authentication server (probably ISE).

In other words, client A on switch A will need to authenticate with the RADIUS server belonging to tenant A, while client B (also on switch A) would need to authenticate with a different RADIUS server belonging to tenant B, and so on.  So far the closest I've come to a solution is this:

https://community.cisco.com/t5/network-access-control/802-1x-multi-server-radius/td-p/4488535

But that's just for use as an HA failover and not a valid solution for our environment.  Any help would be appreciated, thanks.

1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP

‎07-11-2023 10:06 AM

ISE (and the switch config) is not designed for multi-tenancy 

View solution in original post

5 Replies 5

Go to solution
ahollifield
VIP
VIP

‎07-11-2023 10:06 AM

ISE (and the switch config) is not designed for multi-tenancy 

Go to solution
MHM Cisco World
VIP
VIP

‎07-11-2023 10:46 AM

you have one PSN node or two ?

0 Helpful

Go to solution
robert.lorrison
Level 1
Level 1
In response to MHM Cisco World

‎07-11-2023 12:19 PM

Good question.  If it was up to me we'd just operate a single node, but I'm pretty sure each tenant is gonna want to stand up their own policy server.  I spoke to a Cisco engineer who recommended parsing all the clients into separate VRF's, but that creates a whole new set of problems because we'd have to create an interface vlan for every svi being used on an access port on that switch, in addition to a routed admin vlan per vrf to direct the switch to their RADIUS server.

Go to solution
ahollifield
VIP
VIP
In response to robert.lorrison

‎07-11-2023 12:25 PM - edited ‎07-11-2023 12:26 PM

Yeah, there are limits on how many AAA servers you can configure as well.  What is the exact use-case here?  Why so many clients on a single switch?  Why the need for full AAA separation?  

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to robert.lorrison

‎07-11-2023 12:30 PM

SVI x for port x-x10 in VRF x 
use radius server vrf aware PSN1
use source interface SVI x

SVI y for port y-y10 in VRF y 
use radius server vrf aware PSN2
use source interface SVI y

that can work I think, each SVI send to specific radius (PSN) server.
hope so 

0 Helpful
Customers Also Viewed These Support Documents