08-25-2021 09:37 PM
Hi all,
fairly new to ISE but have done quite a bit of reading up.
I have a problem with setting up the Alcatel Onmi switch rules.
When i create a device profile for MAB for the Alcatel switches, the rule says if condition "device is part of group and matches MAB" proceed. The problem is the MAB packet by default isnt the "lookup packet" like cisco devices.
To get around this i can create a device profile that looks for the PAP_ASCII field and it changes it to a lookup packet for MAB.
However this then creates a problem for remote access for SSH and no longer can log into the switch.
Does anyone know of an attribute or condition in radius that would be used by MAB authentication, but would be used by a normal ssh admin session.
Wondering if i could add a condition for MAB which would be that the username contains character ":" as the MAC address proceed otherwise drop down to radius user authentication rule for logging in to device.
Any thoughts welcome
Solved! Go to Solution.
10-14-2021 10:18 AM
Thats what i thought. I ended getting SSH to use TACACS and getting that to work
08-26-2021 10:31 AM - edited 08-26-2021 10:32 AM
this is the error message when i now try to ssh into device, after allowing ISE to properly match Mab auths to ISE.
If i change Alcatel device profile back, ssh to device works, but MAB fails.
10-08-2021 10:28 PM
Hi,
You most probably have to do a tcpdump from ISE and compare SSH vs MAB scenarios using whireshark
The reason why you're having this issue is that you're using RADIUS for SSH access.
Don't you have a port type radius attribute for the SSH session? Like virtual or something similar? This would be a differentiator.
What I'm saying is that you should use the Device Profile Alcatel the way it works for MAB, and change the SSH auth rule to consider some extra attribute in order to differentiate requests inside Policy Set.
BR,
Octavian
10-14-2021 10:18 AM
Thats what i thought. I ended getting SSH to use TACACS and getting that to work
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide