11-09-2018 06:11 AM - edited 03-08-2019 05:28 PM
Dear All,
i have the following requirement and i wonder if you can help me.
When an authenticated and authorized cisco phone is registered on the network (through MAB) , ISE knows on which port it is attached (for example dist-sw3 port 3/34).
How can i bind this specific phone to this specific lan port so that if the user unplugs the phone and connects it to another port not be able to get access?
Is that possible?
Thank you,
Ditter.
Solved! Go to Solution.
11-13-2018 01:42 AM
Hi,
1.To create custom endpoint, Go to Administration->Identity Management->Settings->Endpoint Custom Attributes. Under Endpoint Custom Attributes enter the Attribute name as AssignedPort Type as String & save it.
2.Then go to Context visibility-> click on a phone mac address-> Edit the mac Attributes->Custom Attributes-> AssignedPort ->in Attribute Value -> Add the port number like Gigaethernet1/0/1 ->Save it or else you can import the mac address with attribute value for all the 2000 phones mac address in a CSV file.
3. In Authorization policy create a condition as Radius:NAS-Port-Id NOT_EQUALS EndPoints:AssignedPort AND EndPoints:AssignedPort MATCHES .* & give permission as deny access.
4.Create a normal IP phone condition below the above like if Cisco IP phone/Any vendor IP phone (based on profiling) ->Give voice permission.
In this was no need to create 2000 Authorization policy.
-Aravind
11-15-2018 11:35 AM
Hi Aravind,
thank you for your detailed description. I did not have the time to test but i will do test it the following days and i will let you know.
One thing i do not understand in the condition is the second part of the AND , that is the part EndPoints:AssignedPort MATCHES .*
What does it do exactly?
Thanks again,
Ditter.
11-11-2018 05:08 PM
11-12-2018 01:44 AM
Hi Aravind,
thanks for your reply.
So, if i understood correctly for every phone i will have a different authorization profile?
So if i have 2000 ip phones i will create 2000 policies?
11-13-2018 01:42 AM
Hi,
1.To create custom endpoint, Go to Administration->Identity Management->Settings->Endpoint Custom Attributes. Under Endpoint Custom Attributes enter the Attribute name as AssignedPort Type as String & save it.
2.Then go to Context visibility-> click on a phone mac address-> Edit the mac Attributes->Custom Attributes-> AssignedPort ->in Attribute Value -> Add the port number like Gigaethernet1/0/1 ->Save it or else you can import the mac address with attribute value for all the 2000 phones mac address in a CSV file.
3. In Authorization policy create a condition as Radius:NAS-Port-Id NOT_EQUALS EndPoints:AssignedPort AND EndPoints:AssignedPort MATCHES .* & give permission as deny access.
4.Create a normal IP phone condition below the above like if Cisco IP phone/Any vendor IP phone (based on profiling) ->Give voice permission.
In this was no need to create 2000 Authorization policy.
-Aravind
11-15-2018 11:35 AM
Hi Aravind,
thank you for your detailed description. I did not have the time to test but i will do test it the following days and i will let you know.
One thing i do not understand in the condition is the second part of the AND , that is the part EndPoints:AssignedPort MATCHES .*
What does it do exactly?
Thanks again,
Ditter.
11-20-2018 02:41 AM
Aravind,
thank you for your detailed repiy. I confirm that it works OK.
I did the bind (Phone Id + Switch port). then i switched the phones and they did not get authorized, flipped the cables again and authoriztion proceeded OK. and works as intended.
What is not clear to me is the second part of the condition i.e. the part EndPoints:AssignedPort MATCHES .*
What does it do exactly?
Thanks, Ditter.
11-11-2018 06:29 PM
are you oppose to using port-security ? you can build a policy on ISE but using unique mac and switch port as attributes might not be scalable.
11-12-2018 01:19 AM
Hi Ammahend,
do you mean to create sticky entry only for the phone? Because behind the phone is located the user PC and in some cases more than one MAC address as the PC runs virtualization software (bridged interfaces). If i put the sticky argument in the switchport configuration how can i make sure it is the phone's mac address and not the pc's behind it?
I think that in this case the best thing is to create static port-security with thephone's mac address for example:
switchport port-security mac-address 0000.0001.0002 <--- Phone MAC address
In any case this also does not scale correctly.
interface GigabitEthernet3/2
switchport access vlan 10
switchport mode access
switchport voice vlan 20
switchport port-security maximum 4
switchport port-security
switchport port-security aging type inactivity
switchport port-security mac-address 0000.0001.0002
no logging event link-status
authentication event fail action next-method
authentication host-mode multi-auth
authentication order mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide