cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

141
Views
0
Helpful
4
Replies
Cisco Employee

802.1x Wired Authenticaton on ISE with location based attributes

Hi Team,

 

One of the customer is looking for the 802.1x authentication in a wired network with location based restriction. Customer would like to achieve location based authentication based upon the switch Id & may be port ID attributes.

 

I would like to check if there is any way through which we can achieve the same. I know we have radius attributes available however, not sure if the same could not achieve the same or not.

 

If it is not available right now, if there something available in ISE roadmap. Please suggest!

 

best Regards

Nishant

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Re: 802.1x Wired Authenticaton on ISE with location based attributes

Hi @nisgupta 

 

Have you checked whether the NAS-Port-ID(87)  attribute contains the information that you need? 

I checked my setup for an example of a Wired MAB request and I can see:

NAS-Port-Id == "FiveGigabitEthernet1/0/2"

 

You can probably create a regex that matches on a pattern that represents a module/slot and port etc.

 

regards

 

View solution in original post

4 REPLIES 4
Rising star

Re: 802.1x Wired Authenticaton on ISE with location based attributes

You have options for this in ISE. Something to consider: When adding the NADs in ISE you have the ability to build out NAD groups based on location &/or device type. Then in your policy sets you could configure your conditions to match on DEVICE:device type (equals or contains) a string that will match the NAD groups you built out. Essentially you could build out the NAD groups based on building IDs/Sites and reference those in the policy sets. Or another example is to reference management IPs in a way that you could reference the condition Network Access:device ip address (equals) x.x.x.x. Good luck & HTH!
Cisco Employee

Re: 802.1x Wired Authenticaton on ISE with location based attributes

Hi Mike,

First of all, thanks a lot for looking into the same. Really appreciate it!

This would lead to further question as customer has lot of modular access chassis with 10 slots populated. One single chassis could serve multiple floors in the building. Customer has ODC kind of setup here.

Is there any radius attributes available based on port or line module through which we can bind or leverage in a similar way like DEVICE:device type. Can we further go down to the line module or port level in this case?

Is there any big customer leveraging such big complex/compound conditions?

Best Regards
Nishant Gupta
Highlighted
VIP Advocate

Re: 802.1x Wired Authenticaton on ISE with location based attributes

Hi @nisgupta 

 

Have you checked whether the NAS-Port-ID(87)  attribute contains the information that you need? 

I checked my setup for an example of a Wired MAB request and I can see:

NAS-Port-Id == "FiveGigabitEthernet1/0/2"

 

You can probably create a regex that matches on a pattern that represents a module/slot and port etc.

 

regards

 

View solution in original post

Cisco Employee

Re: 802.1x Wired Authenticaton on ISE with location based attributes

Thanks Arnab ! This would certainly help..