cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2465
Views
21
Helpful
3
Replies

Endstation Network Condition not working for IPv4

newjard
Level 1
Level 1

I have a question about Endstation Network Conditions for IPv4.
I have configured “Network Conditions>>>Endstation Network Conditions>>>created „TEST_ENDSTATION” and added the address IP 10.50.50.10 or alternatively 10.50.50.0/24.
In AUTHORIZATION POLICY I have the condition „Network Conditions: TEST_ENDSTATION”.
Start endstation authentication/authorization with the address IP 10.50.50.10 (tested for MAB and DOT1X) is not matched with the prepared condition. I read that I need to add a command on the switch, but it doesn't help:
radius-server attribute 31 send nas-port-detail.

i tried too:

radius-server attribute 31 send nas-port-detail

radius-server attribute 31 remote-id

radius-server attribute 31 append-circuit-id

 

Additionally, I have attributes for configuration:

mab request format attribute 32 vlan access-vlan
radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-access-req

radius-server attribute 25 access-request include

radius-server attribute 31 send nas-port-detail

radius-server attribute 31 remote-id

radius-server attribute 31 append-circuit-id

radius-server vsa send cisco-nas-port

 

Did not work.
If I add MAC to Endstation Network Conditions >>> TEST_ENDSTATION MAC, then the authorization works correctly and goes to AUTHORIZATION POLICY condition "Network Conditions: TEST_ENDSTATION MAC".

So for MAC it works for IP it doesn't work.

What do I need to add to the switch configuration so that the IP address is sent in the network attributes?

 

Port configuration:

interface FastEthernet0/XX

 description dot1x test

 switchport access vlan XXX

 switchport mode access

 switchport nonegotiate

 switchport voice vlan XXX

 authentication event fail retry 0 action next-method

 authentication event server dead action authorize

 authentication event server alive action reinitialize

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

 authentication periodic

 authentication timer reauthenticate server

 authentication timer inactivity server

 mab

 no snmp trap link-status

 dot1x pae authenticator

 dot1x timeout tx-period 7

 spanning-tree portfast edge

 spanning-tree guard root

 ip dhcp snooping limit rate 15

end

Switch (I also tested on others

WS-C2960C-8PC 15.2(7)E4 - C2960c405-UNIVERSALK9-M

 

endstation MAC conditions.png  endstation IP conditions.png

 

3 Replies 3

Hi @newjard ,

 the Endstation Network Conditions is based on End Stations that initiate and terminate the connection. In a RADIUS Request, this identifier is available in Attribute 31 (Calling-Station-Id). Calling-Station-Id is commonly the MAC Addr of the connecting Endpoint.

 At Work Centers > Profiler > Endpoint Classification, check the attributes captured by the RADIUS Probe of the selected Endpoint, verify the Calling-Station-Id info.

Note: the Framed-IP-Address value populates the IP attribute.

 

Hope this helps !!!

Thanks for the answer.

 

In my endpoint authorization's ISE logs I have:

--------ISE LOGS--------
Authentication Details
Endpoint Id: MAC ENDPOINT
Calling Station Id: MAC ENDPOINT
IPv4 Address: 10.50.50.10

Other Attributes
EndPointMACAddress: MAC ENDPOINT
Called-Station-ID: MAC ENDPOINT
-- I can't see Framed-IP-Address --

-----
In ISE TCP DUMP in wireshark I can see Framed-IP-Address:
AVP: t=Framed-IP-Address(8) l=6 val=10.50.50.10
Type: 8
Length: 6
Framed-IP-Address: 10.50.50.10
-----

At Work Centers > Profiler > Endpoint Classification I can see:
Calling-Station-ID: MAC ENDPOINT
EndPointMACAddress: MAC ENDPOINT
Framed-IP-Address: 10.50.50.10
Ip: 10.50.50.10

 

We do not use Profiling.

The authorization rule with IP_ENDPOINT still does not match.

What else could be the reason?

What can i check?

 

 

rezaalikhani
Spotlight
Spotlight

Based on the definition, the only parameter that is checked when you select Endstation Network Condition and using RADIUS-based authentication is "Calling-Station-ID". Based on your experience, the MAC address restriction works but IP address does not. This is normal because "Calling-Station-ID" contains the ip address of the endstation when the endpoint is using AnyConnect VPN to access the network.