Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1819
Views
0
Helpful
4
Replies

Forcing a MAC on a specific port with MAB

Go to solution
martucci
Cisco Employee
Cisco Employee

‎11-30-2018 01:40 AM

They have MPLS in place and different customers. 

They have one switch and customer A on port 1, customer B on port 2. Both MAC addresses are in ISE, and they want do

Hello, 

I have a customer that has a very paticular case. They provide connectivity to some customers (shops and other businesses) on their network controlled with ISE.  They want to do simply MAB authentication, from a list of MAC addresses and guarantee that the customer A will ONLY connect to port 1, and is not allowed on port 2. MAC address is known to ISE.

What  would be the best way to configure this in  scalable way to enforce customer segregation?

 They saw the feature „VLAN Radius Atributes in Access Requests” in IOS 15.2(3)E. However, their 16.6 Versions or even 15.X don’t know that functionality.

They have in VLAN name the VPN of the customer, to be able to differentiate. However, the issue is that each switch has to be verified if feature is supported. 

Any other idea on how to do it?

 

Thanks a lot in advance

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to martucci

‎12-03-2018 09:16 AM

You can use endpoint custom attributes.

Create a custom attribute with name say "AssignedPort" and type as String.
Edit the endpoint at Context Visibility > Endpoints > Edit > Custom Attributes > AssignedPort. Enter the value as "GigabitEthernet1/0/2" (this is just an example).
Create one authorization rule with condition as RADIUS:NAS-Port-Id equals Endpoints:AssignedPort

View solution in original post

0 Helpful
4 Replies 4

Go to solution
pan
Cisco Employee
Cisco Employee

‎11-30-2018 10:41 AM

RADIUS protocol send port number in radius attribute so you can use this attribute to configure a condition:

 

nasport1.png

 

nasport2.png

0 Helpful

Go to solution
martucci
Cisco Employee
Cisco Employee
In response to pan

‎11-30-2018 02:11 PM

Thanks, 

but the issue in doing it this way, would be that for every port they need to have a rule, so it would easily go out of hand in terms of scaling.

It should be done in a better way so that the number of rules can be contained.

 

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to martucci

‎12-03-2018 09:16 AM

You can use endpoint custom attributes.

Create a custom attribute with name say "AssignedPort" and type as String.
Edit the endpoint at Context Visibility > Endpoints > Edit > Custom Attributes > AssignedPort. Enter the value as "GigabitEthernet1/0/2" (this is just an example).
Create one authorization rule with condition as RADIUS:NAS-Port-Id equals Endpoints:AssignedPort
0 Helpful

Go to solution
martucci
Cisco Employee
Cisco Employee
In response to Surendra

‎12-05-2018 12:33 AM

Thanks a lot!
That might definitively work, I will discuss with the customer !
0 Helpful
Customers Also Viewed These Support Documents