cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Register for SecureX webinars to learn about our newest integrations and features.

1204
Views
0
Helpful
3
Replies
vtirozguy
Beginner

Cisco ISE 3.0 and alcatel Radius differentiation

Hi all,

 

fairly new to ISE but have done quite a bit of reading up.

I have a problem with setting up the Alcatel Onmi switch rules.

 

When i create a device profile for MAB for the Alcatel switches, the rule says if condition "device is part of group and matches MAB" proceed. The problem is the MAB packet by default isnt the "lookup packet" like cisco devices.

 

To get around this i can create a device profile that looks for the PAP_ASCII field and it changes it to a lookup packet for MAB.

 

However this then creates a problem for remote access for SSH and no longer can log into the switch.

 

Does anyone know of an attribute or condition in radius that would be used by MAB authentication, but would be used by a normal ssh admin session.

 

Wondering if i could add a condition for MAB which would be that the username contains character ":" as the MAC address proceed otherwise drop down to radius user authentication rule for logging in to device.

 

 

Any thoughts welcome

 

 

 

 

3 REPLIES 3
vtirozguy
Beginner

this is the error message when i now try to ssh into device, after allowing ISE to properly match Mab auths to ISE.error.jpg

 

 

If i change Alcatel device profile back, ssh to device works, but MAB fails.

Octavian Szolga
Participant

Hi,

 

You most probably have to do a tcpdump from ISE and compare SSH vs MAB scenarios using whireshark

The reason why you're having this issue is that you're using RADIUS for SSH access.

Don't you have a port type radius attribute for the SSH session? Like virtual or something similar? This would be a differentiator.

 

What I'm saying is that you should use the Device Profile Alcatel the way it works for MAB, and change the SSH auth rule to consider some extra attribute in order to differentiate requests inside Policy Set.

 

BR,

Octavian

Thats what i thought. I ended getting SSH to use TACACS and getting that to work

Create
Recognize Your Peers
Content for Community-Ad
Additional Cisco Threat Response Resources


August's Community Spotlight Awards