Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
0
Helpful
3
Replies

ISE2.4 compatibility issues with Alcatel SW

Michal Juzwa
Cisco Employee
Cisco Employee

‎06-24-2019 08:40 AM

Hi,

 

Could you help me clarifying the below:

 

1)  MAB and 802.1x authentication methods for Alcatel switch 6250 did not work well.

Basically, If the Alcatel switch authenticates the endpoint with method MAB against the ISE internal database, it will not include the MAC address of the endpoint to the calling-station-ID attribute. The ISE shows in the Real time logs the identity field of the user as a MAC address, but the Endpoint MAC address is blank... From the detailed report we are able to see, that the MAB authentication was detected by ISE correctly (host lookup).

What is happening?

 

2)

Due to our configuration of the policy set we are comparing the endpoint custom attribute named "LOCATION" against the attribute of NAD  "software version" - If those attributes matched, we will allow the endpoint to connect to the network. This is not working in Alcatel 6250 case. We see, that the ISE is trying to retrieve the custom endpoint attribute of "LOCATION" twice but with no success.  This seem to be a problem of radius-process-flow of ISE. Which received RADIUS attribute is being used for the query to internal endpoint database?

 

3)  Also the Alcatel switch did not send the MAC address in calling-station-id for the RADIUS accounting and the ISE dropped all the accounting packets with a reason of "malformed ...." This is generating 6 repetitive messages and will not scale well in the future deployment.

 

The questions are:

 

1. What is the official statement about supporting of Alcatel devices?  We saw that the official statement from the Cisco said that the tested platform is 6850.

 

2. We have to know, why the custom endpoints attributes are not retrieved from internal database of ISE during the MAB authentication.

                a. We know that the Alcatel platform 6250 did not utilize the calling-station-ID attribute

                b. But we know that Cisco ISE detected the MAB request as Host lookup and is also to able to successfully authenticate the MAC against the internal database.

 

Thanks,

-Michal

0 Helpful
3 Replies 3

Jason Kunst
Cisco Employee
Cisco Employee

‎06-24-2019 08:52 AM

I see you also asked this to our PMs?
0 Helpful

Michal Juzwa
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎06-24-2019 09:19 AM

Removed from PM.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎06-29-2019 04:36 PM

To me, all these seem expected. When the NAD not sending the MAC address of the endpoint as the calling station, ISE would not be able to look it up for attributes. The MAB authentication in the associated NAD profile is to check the password via CHAP.

If you have not got other responses, then I will confirm it with others in our teams.

0 Helpful
Customers Also Viewed These Support Documents