topic Re: Cisco switch send interface description to ISE in Network Access Control

Cisco switch send interface description to ISE

Arash-BE — Tue, 07 Apr 2020 11:31:51 GMT

Hey everyone,

Is it possilbe to send the interface description, which the client is connected on wired, to ISE?

If so, how can you set this up?

for example:

interface GigabitEthernet6/0/37
description Video port 1GE UTP INTERFACE

I want to send "Video port 1GE UTP INTERFACE" in any of the radius attributes

I cannot find it in the documentation..

Thanks

Re: Cisco switch send interface description to ISE

thomas — Tue, 07 Apr 2020 20:28:53 GMT

The command for the network device (IOS-based switch in this case) to send additional specific RADIUS attributes to ISE (or any AAA Server) is typically :

c3560cx(config)#radius-server attribute ?
11 Filter-Id attribute configuration
188 Num-In-Multilink attribute configuration
218 Address-Pool attribute
25 Class attribute
30 DNIS attribute
31 Calling Station ID
32 NAS-Identifier attribute
4 NAS IP address attribute
44 Acct-Session-Id attribute
55 Event-Timestamp attribute
6 Service-Type attribute
60 CHAP-Challenge attribute
61 NAS-Port-Type attribute configuration
66 Tunnel-Client-Endpoint attribute
67 Tunnel-Server-Endpoint attribute
69 Tunnel-Password attribute
77 Connect-Info attribute
8 Framed IP address attribute
95 NAS IPv6 address attribute
list List of Attribute Types
nas-port NAS-Port attribute configuration
nas-port-id Nas-Port-Id attribute configuration

You can try playing with those and see if any of them might send the description but I'm not seeing it with a few attempts:

c3560cx(config)#radius-server attribute nas-port format ?
a Format is type, channel, port
b Either interface(16) or isdn(16), async(16)
c Data format(bits): shelf(2), slot(4), port(5), channel(5)
d Data format(bits): slot(4), module(1), port(3), vpi(8), vci(16)
e Configurable data format


c3560cx(config)#radius-server attribute nas-port-id include ?
circuit-id Circuit ID
remote-id Remote ID
vendor-class-id Vendor Class ID

No luck with vendor specific attributes (VSAs), either:

c3560cx(config)#radius-server vsa send authentication ?
3gpp2 Send 3GPP2 VSAs in accounting requests

c3560cx(config)#radius-server vsa send cisco-nas-port ?
3gpp2 Send 3GPP2 VSAs in accounting requests

What is the real issue you are trying to deal with or workaround?

I can't help thinking you want to use interface descriptions for ISE authorization rules on certain ports or to flag a debug/override mechanism when troubleshooting. Generally, all ports should have a universal configuration for access control for consistent handling of whatever gets plugged in and the decision should be based on the endpoint's identity/context, not a static port description.

Re: Cisco switch send interface description to ISE

Arash-BE — Wed, 08 Apr 2020 07:16:18 GMT

Hey Thomas,

We are implementing Cisco ISE dot1x solution for all our (+80) Cisco Campus switches.

We would like to have two default container vlans, if nothing could be matched on the previous conditions:

Option 1=> Engineering (can be any device with eth port)

Option 2=> No-access (block access device on the network)

To make a decision between option 1 or 2, should be the interface description and for (1) Engeering is the interface description always " Engineering port 1GE UTP INTERFACE"

The main problem about Engineering port & all switches, are the ports are not the same:

Switch 1 = Engineering ports 1,2,5,10,30,48

Switch 2 = Engineering port 1,2,3,4,12,15,18

...

So it would be easier if we could match in ISE on the interface description, instead of making a library and configure for each switch all the nas-port-id that is configured as Engineering..

Is this is possible?

Thanks.

grtz,

Arash

Re: Cisco switch send interface description to ISE

thomas — Wed, 08 Apr 2020 21:25:44 GMT

Defining your access based on a static port description totally defeats the purpose of 802.1X authentication with dynamic authorization for different VLANs, ACLs, and/or SGTs. In general, you should not care which physical port a user or device plugs into.

Please consider using 802.1X authentication against AD or LDAP groups to determine whether a user is allowed access. For devices, you can use 802.1X or for non-authenticating devices, use MAC Authentication Bypass (MAB) with static identity groups of MAC addresses. Yes, you will have to manage lists of MAC addresses unless you are willing to consider endpoint profiling.

Please see our ISE Secure Wired Access Prescriptive Deployment Guide for best practice configurations.

Re: Cisco switch send interface description to ISE

howon — Wed, 08 Apr 2020 23:02:15 GMT

Aside from what Thomas shared, there are few workarounds described here:

https://community.cisco.com/t5/security-documents/advanced-ise-tips-to-make-your-deployment-easier/ta-p/3850189#toc-hId--574335339

Also, if you happen to have a TAC SR open, have them reference: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp20205

Re: Cisco switch send interface description to ISE

Arash-BE — Thu, 09 Apr 2020 07:40:39 GMT

Hi ,

Thanks for responding first of all!

I know, but maybe I did not explain my purpose 🙂

What we want to reach is:

For every device that is managed by R&D department (We as IT departement do not care for them at all), we would like to match them on the very last condition in ISE (match via port description).

The last condition that we have is 'blockacces' in ISE, but we don't want that for those typical R&D devices. Plus it is very impossible to maintain them all the time via mab, because the department use every time several vendors for testing so several mac's...

It does not mean that those ports are dedicated for R&D testing devices, but it can also be used for other conditions like voip phone, person from sales/IT/lab AD group connect his laptop on the network,...

The flow that we would like to reach:

1) Netwerk device authenticating via AD certificate & person is member of sales group = access -> vlan 10 (sales)

2) Netwerk device authenticating via AD certificate & person is member of IT group = access -> vlan 20 (IT)

...

30) Unknown device but interface port = Engineering = access -> Vlan 2200 (Engineering)

31 Unknown device and nothing matches else = block -> vlan 999 (blockvlan)

I'm pretty sure that what we want to reach is possible.

I found out in the radius attribute of Alcatel that is possible, so I may thought that Cisco could do the same.

Re: Cisco switch send interface description to ISE

Arash-BE — Thu, 09 Apr 2020 08:11:32 GMT

Hi,

This could work as well!

Workaround:
12.2(43)SE2 and above (MAB only), VLAN ID can be added to NAS-ID attribute
Switch(config)#mab request format attribute 32 vlan access-vlan

15.2(2)E/3.6.0E/15.2(1)SY and above (Using IBNS 2.0 syntax), VLAN ID and Name can be included as Tunnel-Private-Group-ID attribute
Switch(config)#access-session attributes filter-list list custom-name
Switch(config-com-filter-list)#vlan-id
Switch(config-com-filter-list)#exit
Switch(config)#
Switch(config)#access-session authentication attributes filter-spec include list custom-name

Thanks for sharing this!