cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
874
Views
0
Helpful
4
Replies

Forcing a MAC on a specific port with MAB

martucci
Cisco Employee
Cisco Employee

They have MPLS in place and different customers. 

They have one switch and customer A on port 1, customer B on port 2. Both MAC addresses are in ISE, and they want do

Hello, 

I have a customer that has a very paticular case. They provide connectivity to some customers (shops and other businesses) on their network controlled with ISE.  They want to do simply MAB authentication, from a list of MAC addresses and guarantee that the customer A will ONLY connect to port 1, and is not allowed on port 2. MAC address is known to ISE.

What  would be the best way to configure this in  scalable way to enforce customer segregation?

 They saw the feature „VLAN Radius Atributes in Access Requests” in IOS 15.2(3)E. However, their 16.6 Versions or even 15.X don’t know that functionality.

They have in VLAN name the VPN of the customer, to be able to differentiate. However, the issue is that each switch has to be verified if feature is supported. 

Any other idea on how to do it?

 

Thanks a lot in advance

1 Accepted Solution

Accepted Solutions

You can use endpoint custom attributes.

Create a custom attribute with name say "AssignedPort" and type as String.
Edit the endpoint at Context Visibility > Endpoints > Edit > Custom Attributes > AssignedPort. Enter the value as "GigabitEthernet1/0/2" (this is just an example).
Create one authorization rule with condition as RADIUS:NAS-Port-Id equals Endpoints:AssignedPort

View solution in original post

4 Replies 4

pan
Cisco Employee
Cisco Employee

RADIUS protocol send port number in radius attribute so you can use this attribute to configure a condition:

 

nasport1.png

 

nasport2.png

martucci
Cisco Employee
Cisco Employee

Thanks, 

but the issue in doing it this way, would be that for every port they need to have a rule, so it would easily go out of hand in terms of scaling.

It should be done in a better way so that the number of rules can be contained.

 

You can use endpoint custom attributes.

Create a custom attribute with name say "AssignedPort" and type as String.
Edit the endpoint at Context Visibility > Endpoints > Edit > Custom Attributes > AssignedPort. Enter the value as "GigabitEthernet1/0/2" (this is just an example).
Create one authorization rule with condition as RADIUS:NAS-Port-Id equals Endpoints:AssignedPort

Thanks a lot!
That might definitively work, I will discuss with the customer !
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: