topic Re: Limiting Device Movement using MAC Address in Network Access Control

Limiting Device Movement using MAC Address

fdharmawan — Fri, 21 Feb 2020 19:07:13 GMT

Hi Guys,

Is it possible to limit device movement using MAC address? In this case, I want to limit IP phone's movement. The definition of movement is, I want a certain IP phone to connect on a certain switch port. Let's say IP phone A can only connect to Switch A port 1, while IP phone B can only connect to Switch B port 10. IP phone will use voice VLAN while access VLAN also configured on the port, so any user can use the extension port on the back of the IP phone.

I already managed to limit the movement, but only on 1 switch. If I move those IP phones to different switch, the policy will not take effect. The question would be, can I do it centrally? So I do not have to adjust the configuration on every switch. The command would be a long one since I have more than 50 IP phones on deployment with more than 10 switches to be configured. Below is the example of my current command:

mac address-table static 1234.5678.ABCD vlan 10 int te3/0/13
mac address-table static ABCD.EFGH.1234 vlan 10 drop

Re: Limiting Device Movement using MAC Address

howon — Mon, 24 Jun 2019 07:11:27 GMT

Are you using RADIUS server like ISE or ACS? Using ISE/ACS will let you manage policy centrally regardless of where IP Phone connects.

Re: Limiting Device Movement using MAC Address

balaji.bandi — Mon, 24 Jun 2019 07:25:19 GMT

Adding to other post

You have 2 options.

Option 1 , you need to have centralised identity system which can take care of the policies.

Option2. you need to do manually all over device(which is time consume for adding and removing)

My suggestion to have Option1 (look for option in the market)

Re: Limiting Device Movement using MAC Address

fdharmawan — Mon, 24 Jun 2019 08:03:51 GMT

Hi howon,

Yes, I'm using ISE v2.3.

From Live Log authentication detail, I saw switch name, switch IP address, and device mac address. But I did not see source port from the switch on the log detail. Can I also set the source port on ISE?
I'm thinking to define the incoming switch address on ISE, but I also set the MAC limitation on local switch, since I did not see any port-like attributes on ISE. Do you think this will work? I will be working on this idea on my environment.

Re: Limiting Device Movement using MAC Address

fdharmawan — Mon, 24 Jun 2019 08:08:03 GMT

Hi Balaji,

I have ISE 2.3 installed. On ISE, I should be working on Policy Sets menu, right? Or somewhere else?

Re: Limiting Device Movement using MAC Address

howon — Mon, 24 Jun 2019 12:48:32 GMT

Create two custom attributes; one for NAD IP and another for Interface name

Go to Administration > Identity Management > Settings > Endpoint Custom Attributes
Create two attributes called 'NAD' and 'Interface' with String data type
Go to Context visibility for each of the IP Phone MAC address and fill on the NAD IP and Interface name in the newly created attribute

Create Policy rule for MAB that uses following condition:

RADIUS:NAS-IP-Address(4) == ENDPOINT:NAD
&

RADIUS:NAS-Port-ID(87) == ENDPOINT:Interface

And assign voice domain permission

Above should be enough to lock-in the specific IP phones to specific NAD + Interface

Basic idea is same as the instructions in the following link:

https://community.cisco.com/t5/security-documents/dynamic-attribute-with-ise-mac-address-matching/ta-p/3643882

Re: Limiting Device Movement using MAC Address

balaji.bandi — Mon, 24 Jun 2019 18:25:15 GMT

follow the other post as suggested. let us know if you need any further assitance.