04-07-2020 04:28 AM - edited 04-07-2020 04:31 AM
Hey everyone,
Is it possilbe to send the interface description, which the client is connected on wired, to ISE?
If so, how can you set this up?
for example:
interface GigabitEthernet6/0/37
description Video port 1GE UTP INTERFACE
I want to send "Video port 1GE UTP INTERFACE" in any of the radius attributes
I cannot find it in the documentation..
Thanks
Solved! Go to Solution.
04-09-2020 01:11 AM
Hi,
This could work as well!
Workaround:
12.2(43)SE2 and above (MAB only), VLAN ID can be added to NAS-ID attribute
Switch(config)#mab request format attribute 32 vlan access-vlan
15.2(2)E/3.6.0E/15.2(1)SY and above (Using IBNS 2.0 syntax), VLAN ID and Name can be included as Tunnel-Private-Group-ID attribute
Switch(config)#access-session attributes filter-list list custom-name
Switch(config-com-filter-list)#vlan-id
Switch(config-com-filter-list)#exit
Switch(config)#
Switch(config)#access-session authentication attributes filter-spec include list custom-name
Thanks for sharing this!
04-07-2020 01:28 PM
The command for the network device (IOS-based switch in this case) to send additional specific RADIUS attributes to ISE (or any AAA Server) is typically :
c3560cx(config)#radius-server attribute ?
11 Filter-Id attribute configuration
188 Num-In-Multilink attribute configuration
218 Address-Pool attribute
25 Class attribute
30 DNIS attribute
31 Calling Station ID
32 NAS-Identifier attribute
4 NAS IP address attribute
44 Acct-Session-Id attribute
55 Event-Timestamp attribute
6 Service-Type attribute
60 CHAP-Challenge attribute
61 NAS-Port-Type attribute configuration
66 Tunnel-Client-Endpoint attribute
67 Tunnel-Server-Endpoint attribute
69 Tunnel-Password attribute
77 Connect-Info attribute
8 Framed IP address attribute
95 NAS IPv6 address attribute
list List of Attribute Types
nas-port NAS-Port attribute configuration
nas-port-id Nas-Port-Id attribute configuration
You can try playing with those and see if any of them might send the description but I'm not seeing it with a few attempts:
c3560cx(config)#radius-server attribute nas-port format ?
a Format is type, channel, port
b Either interface(16) or isdn(16), async(16)
c Data format(bits): shelf(2), slot(4), port(5), channel(5)
d Data format(bits): slot(4), module(1), port(3), vpi(8), vci(16)
e Configurable data format
c3560cx(config)#radius-server attribute nas-port-id include ?
circuit-id Circuit ID
remote-id Remote ID
vendor-class-id Vendor Class ID
No luck with vendor specific attributes (VSAs), either:
c3560cx(config)#radius-server vsa send authentication ?
3gpp2 Send 3GPP2 VSAs in accounting requests
c3560cx(config)#radius-server vsa send cisco-nas-port ?
3gpp2 Send 3GPP2 VSAs in accounting requests
What is the real issue you are trying to deal with or workaround?
I can't help thinking you want to use interface descriptions for ISE authorization rules on certain ports or to flag a debug/override mechanism when troubleshooting. Generally, all ports should have a universal configuration for access control for consistent handling of whatever gets plugged in and the decision should be based on the endpoint's identity/context, not a static port description.
04-08-2020 12:16 AM
Hey Thomas,
We are implementing Cisco ISE dot1x solution for all our (+80) Cisco Campus switches.
We would like to have two default container vlans, if nothing could be matched on the previous conditions:
Option 1=> Engineering (can be any device with eth port)
Option 2=> No-access (block access device on the network)
To make a decision between option 1 or 2, should be the interface description and for (1) Engeering is the interface description always " Engineering port 1GE UTP INTERFACE"
The main problem about Engineering port & all switches, are the ports are not the same:
Switch 1 = Engineering ports 1,2,5,10,30,48
Switch 2 = Engineering port 1,2,3,4,12,15,18
...
So it would be easier if we could match in ISE on the interface description, instead of making a library and configure for each switch all the nas-port-id that is configured as Engineering..
Is this is possible?
Thanks.
grtz,
Arash
04-08-2020 02:25 PM
Defining your access based on a static port description totally defeats the purpose of 802.1X authentication with dynamic authorization for different VLANs, ACLs, and/or SGTs. In general, you should not care which physical port a user or device plugs into.
Please consider using 802.1X authentication against AD or LDAP groups to determine whether a user is allowed access. For devices, you can use 802.1X or for non-authenticating devices, use MAC Authentication Bypass (MAB) with static identity groups of MAC addresses. Yes, you will have to manage lists of MAC addresses unless you are willing to consider endpoint profiling.
Please see our ISE Secure Wired Access Prescriptive Deployment Guide for best practice configurations.
04-09-2020 12:40 AM
Hi ,
Thanks for responding first of all!
I know, but maybe I did not explain my purpose :)
What we want to reach is:
For every device that is managed by R&D department (We as IT departement do not care for them at all), we would like to match them on the very last condition in ISE (match via port description).
The last condition that we have is 'blockacces' in ISE, but we don't want that for those typical R&D devices. Plus it is very impossible to maintain them all the time via mab, because the department use every time several vendors for testing so several mac's...
It does not mean that those ports are dedicated for R&D testing devices, but it can also be used for other conditions like voip phone, person from sales/IT/lab AD group connect his laptop on the network,...
The flow that we would like to reach:
1) Netwerk device authenticating via AD certificate & person is member of sales group = access -> vlan 10 (sales)
2) Netwerk device authenticating via AD certificate & person is member of IT group = access -> vlan 20 (IT)
...
30) Unknown device but interface port = Engineering = access -> Vlan 2200 (Engineering)
31 Unknown device and nothing matches else = block -> vlan 999 (blockvlan)
I'm pretty sure that what we want to reach is possible.
I found out in the radius attribute of Alcatel that is possible, so I may thought that Cisco could do the same.
04-08-2020 04:02 PM
Aside from what Thomas shared, there are few workarounds described here:
Also, if you happen to have a TAC SR open, have them reference: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp20205
04-09-2020 01:11 AM
Hi,
This could work as well!
Workaround:
12.2(43)SE2 and above (MAB only), VLAN ID can be added to NAS-ID attribute
Switch(config)#mab request format attribute 32 vlan access-vlan
15.2(2)E/3.6.0E/15.2(1)SY and above (Using IBNS 2.0 syntax), VLAN ID and Name can be included as Tunnel-Private-Group-ID attribute
Switch(config)#access-session attributes filter-list list custom-name
Switch(config-com-filter-list)#vlan-id
Switch(config-com-filter-list)#exit
Switch(config)#
Switch(config)#access-session authentication attributes filter-spec include list custom-name
Thanks for sharing this!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide