Endpoint with static IP address and ISE

ipagliani · ‎03-12-2019

Ciao,

is it possible create a policy in order to block endpoint with static IP address configured in a 802.1x enviroments ?

Thanks

Mike.Cifelli · ‎03-12-2019

Yes. You can accomplish this by utilizing the following condition in authz policy:
NetworkAccess:DeviceIPAddress EQUALS <IP>

Or you can do this in your global policies. If you wish you can also setup policies based on device type which are your device groups.

HTH!

Daniel Lucas · ‎03-12-2019

if you are wanting a policy to basically not allow any static IP address (a condition for DHCP obtained IP address or something like that) then I am not aware of a way to do that in ISE - maybe if you have device sensor w/ DHCP snooping enabled there may be a condition to match based on information received from the NAD?
An alternative way to prevent static IPs would be to enable dynamic ARP inspection (which relies on DHCP snooping), and don't configure any static ARP entries.

paul · ‎03-12-2019

If these are domain joined devices then this should be stripped away by taking away admin rights on their machines or disabling those options via GPO. You could try to profiling on things like:

dhcp-parameter-request-list matches .* or dhcp-class-identifier matches .*

If those exists you could put them into a DHCP_Device profile, but they would only need to do DHCP once to get those attributes populated. If they changed to static IP after the fact they would still look like a DHCP device from a profiling perspective.