Re: DHCP option parameters of third party switch

pgamage · ‎09-24-2024

We have added 3rd party switch to the ISE and switch send MAB authentication request along with DHCP options.

HW-DHCP-Option=SEP70DA48E8B074;
HW-DHCP-Option=1 28 3 15 6 12 42 119 242 120 66 150 43 252;
HW-DHCP-Option=Cisco:Codec:1.0;

The label "HW-DHCP-Option" is vendor specific, we can translate this name to the name desired by ISE.

Can someone tell me what label I should use to convert so that ISE would accept it?

ahollifield · ‎09-24-2024

So you mean like Cisco Device Sensor? Are these sent via RADIUS Accounting from the access switch in question? https://cs.co/ise-interop

MHM Cisco World · ‎09-24-2024

Why you want these dhcp op.?

MHM

pgamage · ‎09-24-2024

Phones and codec devices need to be authenticated by the ISE. Switch send phone and codec data collected by DHCP snooping to the ISE for profiling. Its Mac Address Bypass authentication. Everything is RADIUS.

ahollifield · ‎09-24-2024

So this switch uses RADIUS accounting to send these attributes? This will most likely be an enhancement request, I’m not aware of there being any customizations to Device Sensor/RADIUS probe behavior. I would open a TAC case and ask your account team.

pgamage · ‎09-24-2024

No, these are sent with RADIUS authentication request. I guessed these information may help device profiling. I may be wrong. TAC would help but not an option in my situation. Kind of dead end.

ahollifield · ‎09-24-2024

Why isn’t TAC an option? You can also always relay to ISE using an IP helper upstream. The access switch doesn’t have to send this information.

MHM Cisco World · ‎09-24-2024

3rd party SW' can I know exactly what is SW model

MHM

Aref Alsouqi · ‎09-24-2024

Please take a look at DHCP Attributes section in this guide:

ISE Profiling Design Guide - Cisco Community

pgamage · ‎09-24-2024

I will study this in depth. It suggest me that I must consider broader profiling data.

Arne Bier · ‎09-24-2024

Have you tried making a Network Device Profile for this vendor product? You can start by creating a RADIUS dictionary definition into ISE to populate the custom attribute(s) you need, and then you can craft your own MAB and 802.1X authentication detection Rules based on that. It means that ISE will do all the attribute matching/checks for you, based on your custom logic.

If you're only after one RADIUS attribute "DHCP Option" then you could also create that one manually, and ensure you set it as a STRING and has tick box set for "Allow multiple instances of this attribute in a profile". I just made up the Attribute ID "5" (you can get the true values from a tcpdump/wireshark decode)

Once you have this Device Profile, you can apply it to your 3rd party switch Network Device configuration (instead of the default Cisco value). But also be aware, that any Authorization Profiles sent to such a custom device, must also be tagged with this Vendor Profile, or they must be "blank" (i.e. apply to all vendors - as an example of this, the ISE built-in Access-Accept is vendor neutral)

I believe that, by adding the 3rd party device into ISE's RADIUS Dictionary, you will have access to these attributes in your Policy Set logic, and also Profiling logic (Type:RADIUS Attribute Name: VendorSpecific Operator: EQUALS Attribute Value: {VendorID})

I reckon this should be worth a try.