fairly new to ISE but have done quite a bit of reading up.
I have a problem with setting up the Alcatel Onmi switch rules.
When i create a device profile for MAB for the Alcatel switches, the rule says if condition "device is part of group and matches MAB" proceed. The problem is the MAB packet by default isnt the "lookup packet" like cisco devices.
To get around this i can create a device profile that looks for the PAP_ASCII field and it changes it to a lookup packet for MAB.
However this then creates a problem for remote access for SSH and no longer can log into the switch.
Does anyone know of an attribute or condition in radius that would be used by MAB authentication, but would be used by a normal ssh admin session.
Wondering if i could add a condition for MAB which would be that the username contains character ":" as the MAC address proceed otherwise drop down to radius user authentication rule for logging in to device.
You most probably have to do a tcpdump from ISE and compare SSH vs MAB scenarios using whireshark
The reason why you're having this issue is that you're using RADIUS for SSH access.
Don't you have a port type radius attribute for the SSH session? Like virtual or something similar? This would be a differentiator.
What I'm saying is that you should use the Device Profile Alcatel the way it works for MAB, and change the SSH auth rule to consider some extra attribute in order to differentiate requests inside Policy Set.
BenefitsDocumentationPrerequisiteImage Download LinksSupported PlatformsLimitationsLicense RequirementsTopologyStep-by-step ConfigurationConfigure PATCreate Custom ZonesCreate Class MapCreate the Policy-mapCreate Zone PairAssign the Interfaces to the Zone...
Listen: https://smarturl.it/CCRS9E20Follow us: https://twitter.com/CiscoChampion
With over one trillion email scams per year, more than 22 billion records were exposed by data breaches in 2021. Phishing attacks are clearly on the rise, and they’re e...
Radius server configuration for 802.1X
Server radius test1
Address ipv4 10.1.1.1
Server radius test2
Address ipv4 10.1.1.2
aaa group server radius TEST-gr
server name test1
server name test2
Umbrella’s cloud-delivered firewall (CDFW) is a cool features that provides Firewall Services in the Cisco Umbrella Cloud without the need to deploy on-premises firewall devices and visibility and control for internet traffic across all branch offices. To...