topic Re: Endstation Network Condition not working for IPv4 in Network Access Control

Endstation Network Condition not working for IPv4

newjard — Thu, 16 Sep 2021 06:04:18 GMT

I have a question about Endstation Network Conditions for IPv4.
I have configured “Network Conditions>>>Endstation Network Conditions>>>created „TEST_ENDSTATION” and added the address IP 10.50.50.10 or alternatively 10.50.50.0/24.
In AUTHORIZATION POLICY I have the condition „Network Conditions: TEST_ENDSTATION”.
Start endstation authentication/authorization with the address IP 10.50.50.10 (tested for MAB and DOT1X) is not matched with the prepared condition. I read that I need to add a command on the switch, but it doesn't help:
radius-server attribute 31 send nas-port-detail.

i tried too:

radius-server attribute 31 send nas-port-detail

radius-server attribute 31 remote-id

radius-server attribute 31 append-circuit-id

Additionally, I have attributes for configuration:

mab request format attribute 32 vlan access-vlan
radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-access-req

radius-server attribute 25 access-request include

radius-server attribute 31 send nas-port-detail

radius-server attribute 31 remote-id

radius-server attribute 31 append-circuit-id

radius-server vsa send cisco-nas-port

Did not work.
If I add MAC to Endstation Network Conditions >>> TEST_ENDSTATION MAC, then the authorization works correctly and goes to AUTHORIZATION POLICY condition "Network Conditions: TEST_ENDSTATION MAC".

So for MAC it works for IP it doesn't work.

What do I need to add to the switch configuration so that the IP address is sent in the network attributes?

Port configuration:

interface FastEthernet0/XX

description dot1x test

switchport access vlan XXX

switchport mode access

switchport nonegotiate

switchport voice vlan XXX

authentication event fail retry 0 action next-method

authentication event server dead action authorize

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

mab

no snmp trap link-status

dot1x pae authenticator

dot1x timeout tx-period 7

spanning-tree portfast edge

spanning-tree guard root

ip dhcp snooping limit rate 15

end

Switch (I also tested on others😞

WS-C2960C-8PC 15.2(7)E4 - C2960c405-UNIVERSALK9-M

Re: Endstation Network Condition not working for IPv4

Marcelo Morais — Fri, 17 Sep 2021 00:16:46 GMT

Hi @newjard ,

the Endstation Network Conditions is based on End Stations that initiate and terminate the connection. In a RADIUS Request, this identifier is available in Attribute 31 (Calling-Station-Id). Calling-Station-Id is commonly the MAC Addr of the connecting Endpoint.

At Work Centers > Profiler > Endpoint Classification, check the attributes captured by the RADIUS Probe of the selected Endpoint, verify the Calling-Station-Id info.

Note: the Framed-IP-Address value populates the IP attribute.

Hope this helps !!!

Re: Endstation Network Condition not working for IPv4

newjard — Fri, 17 Sep 2021 07:55:08 GMT

Thanks for the answer.

In my endpoint authorization's ISE logs I have:

--------ISE LOGS--------
Authentication Details
Endpoint Id: MAC ENDPOINT
Calling Station Id: MAC ENDPOINT
IPv4 Address: 10.50.50.10

Other Attributes
EndPointMACAddress: MAC ENDPOINT
Called-Station-ID: MAC ENDPOINT
-- I can't see Framed-IP-Address --

-----
In ISE TCP DUMP in wireshark I can see Framed-IP-Address:
AVP: t=Framed-IP-Address(8) l=6 val=10.50.50.10
Type: 8
Length: 6
Framed-IP-Address: 10.50.50.10
-----

At Work Centers > Profiler > Endpoint Classification I can see:
Calling-Station-ID: MAC ENDPOINT
EndPointMACAddress: MAC ENDPOINT
Framed-IP-Address: 10.50.50.10
Ip: 10.50.50.10

We do not use Profiling.

The authorization rule with IP_ENDPOINT still does not match.

What else could be the reason?

What can i check?

Re: Endstation Network Condition not working for IPv4

rezaalikhani — Sat, 17 Aug 2024 10:52:27 GMT

Based on the definition, the only parameter that is checked when you select Endstation Network Condition and using RADIUS-based authentication is "Calling-Station-ID". Based on your experience, the MAC address restriction works but IP address does not. This is normal because "Calling-Station-ID" contains the ip address of the endstation when the endpoint is using AnyConnect VPN to access the network.