topic Re: Stack-member ISE condition in Network Access Control

Stack-member ISE condition

dirksmit — Wed, 05 Sep 2018 13:57:57 GMT

Is it possible to use the switch stack membership in an ISE condition. My customer wants to treat authentication differently depending on a stack membership

Re: Stack-member ISE condition

paul — Wed, 05 Sep 2018 14:28:16 GMT

What is the use case here?

There is no RADIUS attribute passed to ISE that says "this is a stacked switch". You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.

If they truly want to do this, they should build a custom NDG group in ISE called "Stacked" and have two sub-NDGs called "Yes" and "No". When the add the switch into ISE they set the stacked NDG value correct and use it in their rules.

Re: Stack-member ISE condition

Damien Miller — Wed, 05 Sep 2018 20:02:56 GMT

An alterntive way around this could be unstacking the switches and giving them each their own management IP. Then going down the same path as Paul, placing them in different device groups to leverage in the policy sets.

Re: Stack-member ISE condition

dirksmit — Thu, 06 Sep 2018 06:42:20 GMT

Thank you very much Paul. I will follow your recommendation.

Re: Stack-member ISE condition

dirksmit — Thu, 06 Sep 2018 06:44:54 GMT

with your recommendation I meant :

Re: Stack-member ISE condition

jan.nielsen — Thu, 06 Sep 2018 07:37:59 GMT

Be very carefull with using interface id's for anything in a stack, if you have to rebuild the stack, or change a switch in the stack, you run the risk of the numbering changing if you are not careful. Not running stacks is a much better solution to this.

Re: Stack-member ISE condition

dirksmit — Thu, 06 Sep 2018 07:42:32 GMT

Thank you Jan for your warning. Bedankt Jan voor de waarschuwing. 🙂

Re: Stack-member ISE condition

howon — Thu, 06 Sep 2018 13:52:25 GMT

There is an attribute on the Catalyst switch that can be manipulated to send custom string if the IOS is of later version. You can modify the NAS-ID (Attribute 32) with following command:

SWITCH(config)#radius-server attribute 32 include-in-access-req format ?

LINE A string where %i = IP address and %h = hostname, %d = domain name

SWITCH(config)#radius-server attribute 32 include-in-access-req format Stack-%h

Above will prefix the NAS-ID with 'Stack-' and the switch hostname and send it along during authentication. Once this is done for all stacked switches, simply create a policy set or rule in ISE that leverages the condition, such as If NAS-ID starts with 'Stack-' then do X.

Re: Stack-member ISE condition

paul — Thu, 06 Sep 2018 13:59:19 GMT

Great tip! Learned something new today. I can take the rest of the day off now. 🙂

Thanks!

Re: Stack-member ISE condition

dirksmit — Thu, 06 Sep 2018 14:03:14 GMT

Thank you very much howon. This is the ultimate solution to my question. I will use this in my POC and in a few weeks will let you know how this worked for me.