09-24-2024 04:13 AM
We have added 3rd party switch to the ISE and switch send MAB authentication request along with DHCP options.
HW-DHCP-Option=SEP70DA48E8B074;
HW-DHCP-Option=1 28 3 15 6 12 42 119 242 120 66 150 43 252;
HW-DHCP-Option=Cisco:Codec:1.0;
The label "HW-DHCP-Option" is vendor specific, we can translate this name to the name desired by ISE.
Can someone tell me what label I should use to convert so that ISE would accept it?
09-24-2024 08:54 AM
So you mean like Cisco Device Sensor? Are these sent via RADIUS Accounting from the access switch in question? https://cs.co/ise-interop
09-24-2024 09:01 AM
Why you want these dhcp op.?
MHM
09-24-2024 09:29 AM
Phones and codec devices need to be authenticated by the ISE. Switch send phone and codec data collected by DHCP snooping to the ISE for profiling. Its Mac Address Bypass authentication. Everything is RADIUS.
09-24-2024 10:08 AM
09-24-2024 10:42 AM
No, these are sent with RADIUS authentication request. I guessed these information may help device profiling. I may be wrong. TAC would help but not an option in my situation. Kind of dead end.
09-24-2024 11:29 AM
09-24-2024 12:17 PM
3rd party SW' can I know exactly what is SW model
MHM
09-24-2024 10:06 AM
Please take a look at DHCP Attributes section in this guide:
09-24-2024 11:29 AM
I will study this in depth. It suggest me that I must consider broader profiling data.
09-24-2024 02:31 PM - edited 09-24-2024 02:47 PM
Have you tried making a Network Device Profile for this vendor product? You can start by creating a RADIUS dictionary definition into ISE to populate the custom attribute(s) you need, and then you can craft your own MAB and 802.1X authentication detection Rules based on that. It means that ISE will do all the attribute matching/checks for you, based on your custom logic.
If you're only after one RADIUS attribute "DHCP Option" then you could also create that one manually, and ensure you set it as a STRING and has tick box set for "Allow multiple instances of this attribute in a profile". I just made up the Attribute ID "5" (you can get the true values from a tcpdump/wireshark decode)
Once you have this Device Profile, you can apply it to your 3rd party switch Network Device configuration (instead of the default Cisco value). But also be aware, that any Authorization Profiles sent to such a custom device, must also be tagged with this Vendor Profile, or they must be "blank" (i.e. apply to all vendors - as an example of this, the ISE built-in Access-Accept is vendor neutral)
I believe that, by adding the 3rd party device into ISE's RADIUS Dictionary, you will have access to these attributes in your Policy Set logic, and also Profiling logic (Type:RADIUS Attribute Name: VendorSpecific Operator: EQUALS Attribute Value: {VendorID})
I reckon this should be worth a try.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide