topic Re: [ISE 2.3+] 802.1X AND MAC address Authentication simultaneously? in Network Access Control

[ISE 2.3+] 802.1X AND MAC address Authentication simultaneously?

Jing Hong Li — Fri, 21 Feb 2020 19:02:29 GMT

REF: Re: 802.1X AND MAC address Authenticati...

Is this still available for ISE 2.3 and later version ? I can set the condition to be Radius·Calling-Station-ID, but can not set the value to be a Endpoint identity Groups:{Groups_Name}，Can you please help to provide the policy detail ? Thanks!

Re: [ISE 2.3+] 802.1X AND MAC address Authentication simultaneously?

hslai — Mon, 17 Dec 2018 16:27:07 GMT

Yes, ISE 2.3 uses the dictionary attribute IdentityGroup.Name as shown below:

Re: [ISE 2.3+] 802.1X AND MAC address Authentication simultaneously?

Jing Hong Li — Tue, 18 Dec 2018 00:57:13 GMT

Hi hslai, Thanks for create new post and reply. And from your screen shot showing that for 802.1x and MAC address filter authentication at the same time there is no need to compare Radius Calling-Station-ID as Craig Hyps mentioned, Right ?

Re: [ISE 2.3+] 802.1X AND MAC address Authentication simultaneously?

Arne Bier — Tue, 18 Dec 2018 11:55:16 GMT

Hi @Jing Hong Li - which Craig Hyps reference are you referring to? There was a similar posting on this Community Forum this week where someone asked how to do 802.1X but in combination with a MAC address lookup in an Endpoint Identity Group.

Have a read here.

Re: [ISE 2.3+] 802.1X AND MAC address Authentication simultaneously?

Jing Hong Li — Wed, 19 Dec 2018 00:18:07 GMT

I reference below link:

https://community.cisco.com/t5/identity-services-engine-ise/802-1x-and-mac-address-authentication-simultaneously/m-p/3557008/highlight/false#

Re: [ISE 2.3+] 802.1X AND MAC address Authentication simultaneously?

hslai — Wed, 19 Dec 2018 00:38:18 GMT

Craig Hyps wrote
... you can also validate the Calling-Station-Id (MAC address of LAN user) to an allowed list such as Endpoint Identity Group with specific permissions.

This is how it is done. The Calling-Station-Id (MAC address) is assigned to an endpoint ID group and we use this endpoint ID group name in the authorization policy condition.

Re: [ISE 2.3+] 802.1X AND MAC address Authentication simultaneously?

Jing Hong Li — Wed, 19 Dec 2018 05:26:31 GMT

Great!

Thanks hslai，and I will have a test!

Re: [ISE 2.3+] 802.1X AND MAC address Authentication simultaneously?

Arne Bier — Thu, 20 Dec 2018 22:09:32 GMT

Hi @Jing Hong Li / @hslai

I was unable to find a way to search the Calling-Station-Id in an Endpoint Identity Group DURING an 802.1X authentication. In the radius packets there is always the Calling-Station-ID - BUT - because this is an 802.1X authentication, the User-Name field is used in all of the lookups.

The solution (as far as I can see) is to perform a MAB auth, and then an 802.1X auth. The Cisco WLC supports that. If the MAB auth fails, then the WLC won't even attempt the 802.1X auth. This means less work for ISE.

The link I sent in a previous comment shows how this is done.

Re: [ISE 2.3+] 802.1X AND MAC address Authentication simultaneously?

Jing Hong Li — Thu, 28 Feb 2019 02:46:42 GMT

Hi Arne Bier,

no need to search Calling-Station-Id, just compare Identity Group name, it works fine.