topic fixed ip devices in Network Access Control

fixed ip devices

suthomas1 — Fri, 13 Aug 2021 14:26:56 GMT

Good day all,

In 802.1x/mac bypass how are devices with statically assigned ip address taken care of?

we have some badge/id code readers that have static ip over ethernet. What will the cisco switch port config look like for this case, will it need a default vlan on it? Or can that port be just enabled for mab/802.1but vlan remains to the device's static ip?

preferably doing profile is being looked upon rather than having a mac bypass list.

Thank you.

Re: fixed ip devices

balaji.bandi — Fri, 13 Aug 2021 16:10:35 GMT

These device can not installed suplicant , they need to go MAB authentication here.

Look at the thread may help you :

https://community.cisco.com/t5/network-access-control/cisco-ise-2-4-static-ip-assigned-devices-problem/m-p/4000705

Re: fixed ip devices

suthomas1 — Mon, 16 Aug 2021 13:14:49 GMT

Yes, these devices are not supporting 802.1x. with MAB being used for them, do the switch port configurations need to have a default or not-the-final vlan or it should be left to the actual vlan that needs to be allowed?

If profile is to be done on ISE, can the profile be done with out the port having access?

Re: fixed ip devices

Dustin Anderson — Mon, 16 Aug 2021 16:34:56 GMT

We use MAB for a lot of devices and some with static IPs. All of our ports are standard PC ports. When mab kicks in, we will usually change the vlan and send down a dACL. Since the device is static, the IP won't work when on the PC vlan, but will be fine once you switch vlans. This works good for devices that can't detect a vlan change and restart DHCP also.

We currently use this method for a lot of printers etc. that can't do 802.1x and we don't want thousands of static switchports to manage.

Re: fixed ip devices

suthomas1 — Tue, 17 Aug 2021 01:26:41 GMT

Thanks Dustin.

For the static ones, do you employ profiles to gather make or model? Or is it just permitted on dacl?

Re: fixed ip devices

Dustin Anderson — Tue, 17 Aug 2021 18:23:47 GMT

we only profile wireless devices so we know where to send them. For MAB, we use AD groups, so by checking group membership, we know what they are and where they go. We tried to stay away from profiling as that uses more licensing, so ends up as an added expense.

Here's part of all ours, we currently have 13 groups.

CN=AccessPoints,OU=Groups,OU=Devices MAC Authenticated,
CN=LaserPrinters,OU=Groups,OU=Devices MAC Authenticated,
CN=ThermalPrinters,OU=Groups,OU=Devices MAC Authenticated,
CN=StaticTesters,OU=Groups,OU=Devices MAC Authenticated,
CN=AV,OU=Groups,OU=Devices MAC Authenticated,
CN=SecurityCameras,OU=Groups,OU=Devices MAC Authenticated,
CN=External,OU=Groups,OU=Devices MAC Authenticated,
CN=RoomKits,OU=Groups,OU=Devices MAC Authenticated,
CN=PDCSensors,OU=Groups,OU=Devices MAC Authenticated,
CN=Wi_phone,OU=Groups,OU=Devices MAC Authenticated,
CN=Wi_scanner,OU=Groups,OU=Devices MAC Authenticated,
CN=Wi_internal,OU=Groups,OU=Devices MAC Authenticated,
CN=Wi_external,OU=Groups,OU=Devices MAC Authenticated,

Re: fixed ip devices

suthomas1 — Thu, 19 Aug 2021 13:37:51 GMT

Thanks again.

there is no AD groups for us. any ideas on profiling ?

Re: fixed ip devices

Dustin Anderson — Thu, 19 Aug 2021 14:53:30 GMT

not sure what info you will initially get for profiling especially if it's static IP, so no DHCP profiling. You may only get profiling by the OUI of the mac. This may be enough as it is usually manufacturer specific.

Another option may be to make groups for the endpoints, but that would require you to pre-populate a list of the mac addresses. You could then call those groups in the rules. Here's an old link on endpoint identity groups. This really depends on the scale you are working as it can be a bit of a manual process.

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html#wp1152159