Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
6
Helpful
7
Replies

ISE authenticating Guest VMs

Cory Peterson
Level 5
Level 5

‎06-21-2018 02:55 PM

Can anyone confirm if this comment is correct or not? I have never heard this statement before and have authenticated Guest VMs many times in the past. I recently ran in to an issue where some of the guests are not even showing in the auth session database on the switch or ISE and reached out to TAC.

"Dot1x or MAB authentication for VMs is known for not working properly or not working at all, and is not supported."


Thank You,

-Cory

7 Replies 7

paul
Level 10
Level 10

‎06-21-2018 07:44 PM

Hmm in bridged mode the guest VMs should have unique MACs and show up on the switch port to be authenticated.  In NAT mode only the host's MAC would show up.  Are you seeing the MAC's show up on the switch port when you so "show auth session" or "show access-session"?

Cory Peterson
Level 5
Level 5
In response to paul

‎06-21-2018 11:13 PM

I see all the MACs in the cam tables but only some of the MACs in the auth session table. It is not any set amount missing between different ports either, Some have 6 of 8 Authenticating others have 4 of 8 authenticating.

The reason I asked about the comment in bold is that is what TAC sent me in an email and I have never seen that mentioned in all the posts here about Authenticating Guest VMs on an access port.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Cory Peterson

‎06-22-2018 01:36 PM

This is the first I heard of it. If possible, please share the TAC case number so we may take a look and see more context.

0 Helpful

Cory Peterson
Level 5
Level 5
In response to hslai

‎06-22-2018 02:59 PM

We have not done much with the case yet but collect logs and Show Tech, and before we did much I got that response from TAC.

TAC Case#684675337 

Thanks for looking in to this!

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Cory Peterson

‎06-22-2018 07:14 PM

I see your case has all mac addresses in "show mac add int <>" but not in "show auth sessions int <>". If possible, I would suggest to try (1) a hub and some physical wired devices on the same 4510R+E with Sup8-E and (2) a different switch model, such as 3650. This is likely a bug on the switch platform.

The VM issues I usually running into in our lab are because they are connecting to a VMware port-group, which in turn to the VMware vSwitch and then to the physical interface. Thus, we usually need to use some particular means to get DOT1X to work, especially with the native supplicants, or they would fail over to MAB.

I tried 9 clients on the same interface of 3650 (on 3.6.3E) in our lab and all showed up in both "show auth sessions int <>" and "show mac add int <>".

Damien Miller
VIP Alumni
VIP Alumni

‎06-24-2018 09:05 PM

Cory, Hit me up on Skype tomorrow, I have dealt with some interesting behavior with vmware over the past couple years.  We can at least go over my lessons learned and maybe something will relate to the issue you are having. 

thomas
Cisco Employee
Cisco Employee

‎06-25-2018 09:55 AM

Cory, we have always used Windows VMs for our ISE Sales Trainings so you absolutely can do it!

The key is to directly map a VM to a specific physical port (wireless/wired USB dongle, UCS ethernet port, etc.).

Altenatively, ensure you have bridged the VMware NIC to the host computer NIC.

Do not use VMware NAT! If you use VMware NAT, the VM's MAC will not show on the port and all traffic will look like that of the host computer.

Customers Also Viewed These Support Documents