Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2436
Views
30
Helpful
7
Replies

fixed ip devices

Go to solution
suthomas1
Level 6
Level 6

‎08-13-2021 07:26 AM

Good day all,

 

In 802.1x/mac bypass how are devices with statically assigned ip address taken care of?

we have some badge/id code readers that have static ip over ethernet. What will the cisco switch port config look like for this case, will it need a default vlan on it? Or can that port be just enabled for mab/802.1but vlan remains to the device's static ip?

 

preferably doing profile is being looked upon rather than having a mac bypass list.

 

Thank you.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dustin Anderson
VIP
VIP

‎08-19-2021 07:52 AM - edited ‎08-19-2021 07:53 AM

not sure what info you will initially get for profiling especially if it's static IP, so no DHCP profiling. You may only get profiling by the OUI of the mac. This may be enough as it is usually manufacturer specific.

 

Another option may be to make groups for the endpoints, but that would require you to pre-populate a list of the mac addresses. You could then call those groups in the rules. Here's an old link on endpoint identity groups. This really depends on the scale you are working as it can be a bit of a manual process.

 

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html#wp1152159

View solution in original post

7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-13-2021 09:10 AM

These device can not installed suplicant , they need to go MAB authentication here.

 

Look at the thread may help you :

 

https://community.cisco.com/t5/network-access-control/cisco-ise-2-4-static-ip-assigned-devices-problem/m-p/4000705

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
suthomas1
Level 6
Level 6
In response to balaji.bandi

‎08-16-2021 06:14 AM

Yes, these devices are not supporting 802.1x. with MAB being used for them, do the switch port configurations need to have a default or not-the-final vlan or it should be left to the actual vlan that needs to be allowed?

If profile is to be done on ISE, can the profile be done with out the port having access?

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎08-16-2021 09:34 AM - edited ‎08-16-2021 09:34 AM

We use MAB for a lot of devices and some with static IPs. All of our ports are standard PC ports. When mab kicks in, we will usually change the vlan and send down a dACL. Since the device is static, the IP won't work when on the PC vlan, but will be fine once you switch vlans. This works good for devices that can't detect a vlan change and restart DHCP also.

 

We currently use this method for a lot of printers etc. that can't do 802.1x and we don't want thousands of static switchports to manage.

Go to solution
suthomas1
Level 6
Level 6
In response to Dustin Anderson

‎08-16-2021 06:26 PM

Thanks Dustin.

For the static ones, do you employ profiles to gather make or model? Or is it just permitted on dacl?

 

Go to solution
Dustin Anderson
VIP
VIP
In response to suthomas1

‎08-17-2021 11:23 AM

we only profile wireless devices so we know where to send them. For MAB, we use AD groups, so by checking group membership, we know what they are and where they go. We tried to stay away from profiling as that uses more licensing, so ends up as an added expense.

 

Here's part of all ours, we currently have 13 groups.

 

CN=AccessPoints,OU=Groups,OU=Devices MAC Authenticated,
CN=LaserPrinters,OU=Groups,OU=Devices MAC Authenticated,
CN=ThermalPrinters,OU=Groups,OU=Devices MAC Authenticated,
CN=StaticTesters,OU=Groups,OU=Devices MAC Authenticated,
CN=AV,OU=Groups,OU=Devices MAC Authenticated,
CN=SecurityCameras,OU=Groups,OU=Devices MAC Authenticated,
CN=External,OU=Groups,OU=Devices MAC Authenticated,
CN=RoomKits,OU=Groups,OU=Devices MAC Authenticated,
CN=PDCSensors,OU=Groups,OU=Devices MAC Authenticated,
CN=Wi_phone,OU=Groups,OU=Devices MAC Authenticated,
CN=Wi_scanner,OU=Groups,OU=Devices MAC Authenticated,
CN=Wi_internal,OU=Groups,OU=Devices MAC Authenticated,
CN=Wi_external,OU=Groups,OU=Devices MAC Authenticated,

 

 

Go to solution
suthomas1
Level 6
Level 6

‎08-19-2021 06:37 AM

Thanks again.

there is no AD groups for us. any ideas on profiling ?

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎08-19-2021 07:52 AM - edited ‎08-19-2021 07:53 AM

not sure what info you will initially get for profiling especially if it's static IP, so no DHCP profiling. You may only get profiling by the OUI of the mac. This may be enough as it is usually manufacturer specific.

 

Another option may be to make groups for the endpoints, but that would require you to pre-populate a list of the mac addresses. You could then call those groups in the rules. Here's an old link on endpoint identity groups. This really depends on the scale you are working as it can be a bit of a manual process.

 

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html#wp1152159

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents