Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1813
Views
5
Helpful
4
Replies

Can ISE change a port description?

Dan
Level 1
Level 1

‎05-18-2018 02:19 AM - edited ‎02-21-2020 10:56 AM

Hi

 

Is it possible for ISE to rename a port after a device has successfully finished a dot1x authentication? I'd like to be able to pull the hostname of the device and put it on the port description and then have it change back to a generic port description when a device hasn't authenticated. How would I go about doing this? I assume i'm going to have to do something with EPM to pull the hostname from somewhere?

 

I've seen rm-port-description on our 2960Xs radius attributes but don't see the same option on ISE on the authorization results.

 

Thanks

Labels:
0 Helpful
4 Replies 4

Bogdan Nita
VIP Alumni
VIP Alumni

‎05-18-2018 05:52 AM

I do not think the ISE can configure the description on the switch, but it should be able to send the hostname using aaa:supplicant-name AV-Pairs attribute.

Then you would need to have some sort of script in place to monitor the interface, grab the supplicant-name (trickiest thing) and write it as description.

I found this macro in the following post, but it does not seem to work:

https://supportforums.cisco.com/t5/aaa-identity-and-nac/using-av-pairs-to-add-a-description-to-a-port-based-on-the/td-p/2270111

If you want to have the description configure so you can issue show int description and see who is connected to the interface then you may consider using show int users.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz16631/?rfs=iqvred

 

HTH

Bogdan

Dan
Level 1
Level 1
In response to Bogdan Nita

‎05-18-2018 06:29 AM

Yes I had seen them but nobody followed up on whether they got it working or not and I'm struggling to find anything else on google.

I would have thought that ISE is capable of doing this. It can already change the VLAN on a port and i'm assuming that it's just sending a 'sw mode access vlan xx' command to the switch?

Don't think I'll be able to use the 'show int users' command as it returns nothing for me. Most likely because we're doing PC authentications only using MSCHAP and not EAP-TLS. I can see the switch learning the hostname of the devices because I can do a 'show auth sess int gi1/0/3' for example and see 'User-Name: host/hostname.domain'.

I haven't seen people using EPM scripts to pull CDP neighbour information and write it to a port description but struggling to figure out where to start to do the same for hostnames from auth sessions.
0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Dan

‎05-18-2018 06:48 AM

If you ca use a command to see the hostamane you could use a EEM script like this one (I haven't actually tested it so you might need to adapt it):

event manager applet add_port_descr
 event identity interface regexp GigabitEthernet.* authz all athuz-complete
 action 1.0 cli command "enable"
 action 2.0 cli command "config t"
 action 3.0 cli command "interface $_nd_local_intf_name"
 action 4.0 cli command "do show auth sess int $_nd_local_intf_name | include User-Name"
 action 5.0 cli command "description $_cli_result"

 

should write a description 'User-Name: host/hostname.domain'

 

HTH

Bogdan

0 Helpful

Dan
Level 1
Level 1
In response to Bogdan Nita

‎05-18-2018 07:03 AM

Thanks for this. Unfortunately we're using 2960X which as far as I can see don't support the EEM scripting? The only way I can see it working is if we use an auto-smart-port macro.

0 Helpful
Customers Also Viewed These Support Documents