Solved: EAP-TLS Auth combine with mac-address-group (EAP-TLS and MAB)

ChristianBur · ‎12-14-2017

We are currently switching our Cisco phones to new call manager, for this it is necessary for some phones to have separate DHCP options.
Therefore I would like to move the individual phones by MAC address groups in a separate voice VLAN.

As described here

http://blog.arronsmalley.com/?p=56

This also works great with MAB, even when specifying a group (ID Group or MS-SQL database).

However, we authenticate our Cisco IP Phones with EAP-TLS and i find no way to add a group of MAC addresses in addition, to separate the phones.

I can only enter single mac address via "xx_CiscoIPPhone_MIC__EAP-TLS AND Radius:Calling-Station-ID EQUALS xx:xx:xx:xx:xx:xx" in the policy set rule. The following rule does not work "xx_CiscoIPPhone_MIC__EAP-TLS AND IdentityGroup:Name EQUALS MAB_CB_Tel_Test" or "xx_CiscoIPPhone_MIC__EAP-TLS AND MAB_MSSQL:ExernalGruops EQUALS test-mssql-database-group".

However, I am missing a possibility such as

"xx_CiscoIPPhone_MIC__EAP-TLS AND Radius:Calling-Station-ID CONTAINS (IdentityGroup:Name EQUALS MAB_CB_Tel_Test)" or

"xx_CiscoIPPhone_MIC__EAP-TLS AND Radius:Calling-Station-ID CONTAINS (MAB_MSSQL:ExernalGruops EQUALS test-mssql-database-group")

Craig Hyps · ‎12-15-2017

It depends on the Identity used for auth. If 802.1X auth and identity is device name or other derived from cert fields in TLS auth, then that is the index value used for external lookup. You cannot jump back to MAC address unless MAB auth. Also note that even with MAC address, the SQL server will likely expect the MAC to be in the format it has stored it. In other words, it may be sensitive to case and delimiters, if present. You should see what the external ID store returns for these values in auth detail log.

If requirement is to use a different lookup key than RADIUS identity, then please reach out to account team and provide details on use case (similar to what is provided here) along with business impact. They should then submit to internal ISE PM mailer. I am trying to make a case to prioritize such functionality, but you may already have the pieces needed with the right config.

Craig

View solution in original post

Craig Hyps · ‎12-14-2017

Enter the Identity Group under the Identity Group condition and not under Other Conditions.

You should then see the selected Endpoint Identity Group show up first in list of conditions in bold. In ISE 2.1 and above, you could also add a custom attribute for the different groups and set the appropriate value to match in AuthZ policy.

Craig

ChristianBur · ‎12-15-2017

Ok, this could work with local Endpoint Identity Group.

Generally, we use only the External ID Sources (MS SQL) to authority mac addresses, how would that work?

Craig Hyps · ‎12-15-2017

It depends on the Identity used for auth. If 802.1X auth and identity is device name or other derived from cert fields in TLS auth, then that is the index value used for external lookup. You cannot jump back to MAC address unless MAB auth. Also note that even with MAC address, the SQL server will likely expect the MAC to be in the format it has stored it. In other words, it may be sensitive to case and delimiters, if present. You should see what the external ID store returns for these values in auth detail log.

If requirement is to use a different lookup key than RADIUS identity, then please reach out to account team and provide details on use case (similar to what is provided here) along with business impact. They should then submit to internal ISE PM mailer. I am trying to make a case to prioritize such functionality, but you may already have the pieces needed with the right config.

Craig