Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3975
Views
0
Helpful
2
Replies

ISE 2.4 Policy using nas-port-id

Go to solution
Evanjrosado
Level 1
Level 1

‎05-23-2019 03:08 PM - edited ‎02-21-2020 11:05 AM

Hi,

looking out there to see if anyone has used RADIUS attribute, nas-port-id in an authorization policy to lock down switch port access to specific devices. We deployed a few Cisco, 12 port, 3560-CX switches in our conference rooms and have integrated them with our ISE 2.4 RADIUS servers. Here's an example of what i'm thinking of implementing. 

 

  • Authentication
    • DOT1x with PEAP-EAP, MS-CHAPV2
  • Authorization

    • if device is in external group <AD group name>, and

    • if nas-port-id is within range gigabitethernet0/1 through gigabitethernet0/10

  • Authorization Result
    • DACL with access needed

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎05-24-2019 06:45 AM

I have done NAS port ID before as well.  You can also create a specific location or device type for these conference room switches to tie that into the rule as well.

 

One other though that works well is this:

 

  1. Put the conference room ports on an Internet only VLAN.
  2. If Dot1x device plugs in, i.e. corporate device, move them to corporate VLAN.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎05-23-2019 06:38 PM

I've used it in the lab to target a specific port with no issue, but never in production. From a policy perspective it works, you will have to decide if it works or not from a design perspective.

In the current state anything with port numbers would hit, I would still add network access device name/ip.
0 Helpful

Go to solution
paul
Level 10
Level 10

‎05-24-2019 06:45 AM

I have done NAS port ID before as well.  You can also create a specific location or device type for these conference room switches to tie that into the rule as well.

 

One other though that works well is this:

 

  1. Put the conference room ports on an Internet only VLAN.
  2. If Dot1x device plugs in, i.e. corporate device, move them to corporate VLAN.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents