Hello all, thanks for feedback,

Paul, if host operation system is using DOT1X and guest operating systems are using Dot1X too. each operating system will take a different authorization profile ?

also what is virtualization software supported like vmware or hyber v ?

and what if I have ESXi and VMs are installed on it like 20 VMs or more each VM will take a different permission according to user who login ?

will the link between core and ESXi be trunk which will allow these VMs with different VLANS

I am just theory crafting here since I have tested complicated VM setups before.

1) Everything with authenticated sessions on a switch is based on MAC address. So if you have multiple VMs running in NAT mode and only one MAC is presented to the switch I have no idea what would happen if multiple guest OS systems are running 802.1x. You would basically have conflicting information. My guess is every time the switch saw an EAPOL start message from the port it would start the process over again and authenticate those credentials.

2) The virtualization technology doesn’t matter as far as I know. The whole thing is how many MAC addresses are being presented to the switch port.

3) If you are running everything in bridged mode and all 20 devices have a unique MAC address in theory you should be to have polices per each device based on 802.1x authentication. Allow user credentials has its own set of problems but that is well documented in other posts. I mostly do computer auth only as I just want to verify the device is a domain joined asset.

4) If the VM port is setup as a trunk you can’t run RADIUS authentication. It is only supported on access ports.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

If PC connected through IP phone but we do not need to authenticate or authorize IP Phones from ISE we need to exclude them from ISE.

Is this applicable ?

also which authentication mode we need, as if we choose multiple authentication

• Only one voice VLAN is supported on a multiple authentication port.

So this voice VLAN will be authenticated  and authorized  from ISE or will take its permission without going to ISE.

Thanks.

Whenver you turn on authentication on a port you are going to have to deal with every MAC on that port.

In multidomain mode only one data MAC and one voice MAC is allowed on the port but both are authenticated via ISE. In multiauth mode, all MACs on the port are authenticated.

Why don’t you want to authenticate the phone?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Customer need, they want to purchase license only for PC not count IP Phone.

but if that is no applicable and must IP phone be authenticate so no way they must buy. put please confirm

thanks for feedback.

There is no way around that I know of at the switch level.

Actually, here is an out of the box idea that should work. I am just theory crafting here so you would have to test this.

If you are running your ports in Open mode, which you should be if you don’t want to impact the phones in anyway, then Open mode will not respect Rejects coming from ISE and I don’t think Rejects count against licensing only accepted connections. So configure a rule in your authorization policy to reject all IP Phone authentications and deal only with your data connections.

The Cisco team that is monitoring this would have to confirm this. The one piece I am not sure about is if you are using a profiled group like IP Phones in the rule but doing a reject does it still consume licensing because technically you are using profiling. I don’t think any license would be consumed though.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Are the Hyper-v, Virtualbox, and Vmware support dot1x authentication for the Virtual machines? I tried this on Virtualbox and host machine is able to do dot1x authentication and the guest machine is not able to perform dot1x authentication. The guest machine is doing mac authentication and redirecting to guest portal.

Microsoft seems to be making changes in this direction with this new registry key: “HKEY_LOCAL_MACHINE\SYSTEM\CURRENTControlSet\Services\vmsmp\parameters” /v 8021xEnabled /t REG_DWORD /d 1 /f".  This is the article I first saw this in: https://blog.workinghardinit.work/2019/01/17/802-1x-support-with-the-hyper-v-switch-is-here/.  So far, I've only been able to get my test VMs to connect with 802.1x over LAN -- no luck yet with wifi, unfortunately.