Solved: 802.1x Wired Authenticaton on ISE with location based attributes

nisgupta · ‎11-25-2019

Hi Team,

One of the customer is looking for the 802.1x authentication in a wired network with location based restriction. Customer would like to achieve location based authentication based upon the switch Id & may be port ID attributes.

I would like to check if there is any way through which we can achieve the same. I know we have radius attributes available however, not sure if the same could not achieve the same or not.

If it is not available right now, if there something available in ISE roadmap. Please suggest!

best Regards

Nishant

Mike.Cifelli · ‎11-25-2019

You have options for this in ISE. Something to consider: When adding the NADs in ISE you have the ability to build out NAD groups based on location &/or device type. Then in your policy sets you could configure your conditions to match on DEVICE:device type (equals or contains) a string that will match the NAD groups you built out. Essentially you could build out the NAD groups based on building IDs/Sites and reference those in the policy sets. Or another example is to reference management IPs in a way that you could reference the condition Network Access:device ip address (equals) x.x.x.x. Good luck & HTH!

View solution in original post

Arne Bier · ‎11-28-2019

Hi @nisgupta

Have you checked whether the NAS-Port-ID(87) attribute contains the information that you need?

I checked my setup for an example of a Wired MAB request and I can see:

NAS-Port-Id == "FiveGigabitEthernet1/0/2"

You can probably create a regex that matches on a pattern that represents a module/slot and port etc.

regards

View solution in original post

Mike.Cifelli · ‎11-25-2019

You have options for this in ISE. Something to consider: When adding the NADs in ISE you have the ability to build out NAD groups based on location &/or device type. Then in your policy sets you could configure your conditions to match on DEVICE:device type (equals or contains) a string that will match the NAD groups you built out. Essentially you could build out the NAD groups based on building IDs/Sites and reference those in the policy sets. Or another example is to reference management IPs in a way that you could reference the condition Network Access:device ip address (equals) x.x.x.x. Good luck & HTH!

nisgupta · ‎11-25-2019

Hi Mike,

First of all, thanks a lot for looking into the same. Really appreciate it!

This would lead to further question as customer has lot of modular access chassis with 10 slots populated. One single chassis could serve multiple floors in the building. Customer has ODC kind of setup here.

Is there any radius attributes available based on port or line module through which we can bind or leverage in a similar way like DEVICE:device type. Can we further go down to the line module or port level in this case?

Is there any big customer leveraging such big complex/compound conditions?

Best Regards
Nishant Gupta

Arne Bier · ‎11-28-2019

Hi @nisgupta

Have you checked whether the NAS-Port-ID(87) attribute contains the information that you need?

I checked my setup for an example of a Wired MAB request and I can see:

NAS-Port-Id == "FiveGigabitEthernet1/0/2"

You can probably create a regex that matches on a pattern that represents a module/slot and port etc.

regards

nisgupta · ‎11-28-2019

Thanks Arnab ! This would certainly help..