cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2516
Views
5
Helpful
7
Replies

CISCO ISE MAB and static mod/port assignment

Ditter
Level 3
Level 3

Dear All,

 

i have the following requirement and i wonder if you can help me.

 

When an authenticated and authorized cisco phone is registered on the network (through MAB) , ISE knows on which port it is attached (for example dist-sw3 port 3/34).

 

How can i bind this specific phone to  this specific lan port so that if the user unplugs the phone and connects it to another port not be able to get access?

 

Is that possible?

 

Thank you,

 

Ditter.

2 Accepted Solutions

Accepted Solutions

Hi,

1.To create custom endpoint, Go to Administration->Identity Management->Settings->Endpoint Custom Attributes. Under Endpoint Custom Attributes enter the Attribute name as AssignedPort Type as String & save it.

2.Then go to Context visibility-> click on a phone mac address-> Edit the mac  Attributes->Custom Attributes-> AssignedPort ->in Attribute Value -> Add the port number like Gigaethernet1/0/1 ->Save it or else you can import the mac address with attribute value for all the 2000 phones mac address in a CSV file.

3. In Authorization policy create a condition as Radius:NAS-Port-Id NOT_EQUALS EndPoints:AssignedPort AND EndPoints:AssignedPort MATCHES .* & give permission as deny access.

4.Create a normal IP phone condition below the above like if Cisco IP phone/Any vendor IP phone (based on profiling) ->Give voice permission.

 

In this was no need to create 2000 Authorization policy.

 

-Aravind

 

-Aravind

View solution in original post

Hi Aravind,

 

thank you for your detailed description. I did not have the time to test but i will do test it the following days and i will let you know.

 

One thing i do not understand in the condition is the second part of the AND , that is the part EndPoints:AssignedPort MATCHES .*

 

What does it do exactly?

 

Thanks again,

 

Ditter.

View solution in original post

7 Replies 7

Hi,
Create a authorization policy with phone Mac address radius:calling Station ID equals phone-Mac-address & enter the port number as radius:Nas port ID equals gigaethernet1/0/1(interface) & enter the switch ip address as radius:Nas ip address equals 10.x.x.x(switch ip).

Also you can create a custom attribute for this like assigned port ID

-Aravind
-Aravind

Hi Aravind,

 

thanks for  your reply.

 

So, if i understood correctly for every phone i will have a different authorization profile?

So if i have 2000 ip phones i will create 2000 policies?

Hi,

1.To create custom endpoint, Go to Administration->Identity Management->Settings->Endpoint Custom Attributes. Under Endpoint Custom Attributes enter the Attribute name as AssignedPort Type as String & save it.

2.Then go to Context visibility-> click on a phone mac address-> Edit the mac  Attributes->Custom Attributes-> AssignedPort ->in Attribute Value -> Add the port number like Gigaethernet1/0/1 ->Save it or else you can import the mac address with attribute value for all the 2000 phones mac address in a CSV file.

3. In Authorization policy create a condition as Radius:NAS-Port-Id NOT_EQUALS EndPoints:AssignedPort AND EndPoints:AssignedPort MATCHES .* & give permission as deny access.

4.Create a normal IP phone condition below the above like if Cisco IP phone/Any vendor IP phone (based on profiling) ->Give voice permission.

 

In this was no need to create 2000 Authorization policy.

 

-Aravind

 

-Aravind

Hi Aravind,

 

thank you for your detailed description. I did not have the time to test but i will do test it the following days and i will let you know.

 

One thing i do not understand in the condition is the second part of the AND , that is the part EndPoints:AssignedPort MATCHES .*

 

What does it do exactly?

 

Thanks again,

 

Ditter.

Aravind,

 

thank you  for your detailed repiy. I confirm that it works OK.

 

I did the bind (Phone Id + Switch port). then i switched the phones and they did not get authorized, flipped the cables again and authoriztion proceeded OK.  and works as intended.

 

What is not clear to me  is the second part of the condition i.e. the part EndPoints:AssignedPort MATCHES .*

 

What does it do exactly?

 

Thanks, Ditter.

 

 

 

ammahend
VIP
VIP

are you oppose to using port-security ? you can build a policy on ISE but using unique mac and switch port as attributes might not be scalable.

-hope this helps-

Hi Ammahend,

 

do you mean to create sticky entry only for the phone? Because behind the phone is located the user PC and in some cases more than one MAC address as the PC runs virtualization software (bridged interfaces). If i put the sticky argument in the switchport configuration how can i make sure it is the phone's mac address and not the pc's behind it?

 

I think that in this case the best thing is to create static port-security with thephone's mac address for example:

switchport port-security mac-address 0000.0001.0002  <--- Phone MAC address

 

In any case this also does not scale correctly.

 

interface GigabitEthernet3/2
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 20
 switchport port-security maximum 4
 switchport port-security
 switchport port-security aging type inactivity

 switchport port-security mac-address 0000.0001.0002
 no logging event link-status
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication order mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: