cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3286
Views
0
Helpful
8
Replies

[ISE 2.3+] 802.1X AND MAC address Authentication simultaneously?

Jing Hong Li
Level 1
Level 1

REF: Re: 802.1X AND MAC address Authenticati...

Is this still available for ISE 2.3 and later version ? I can set the condition to be Radius·Calling-Station-ID, but can not set the value to be a Endpoint identity Groups:{Groups_Name},Can you please help to provide the policy detail ? Thanks!

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Yes, ISE 2.3 uses the dictionary attribute IdentityGroup.Name as shown below:

Screen Shot 2018-12-17 at 8.20.29 AM.png

View solution in original post

8 Replies 8

hslai
Cisco Employee
Cisco Employee

Yes, ISE 2.3 uses the dictionary attribute IdentityGroup.Name as shown below:

Screen Shot 2018-12-17 at 8.20.29 AM.png

Hi hslai, Thanks for create new post and reply. And from your screen shot showing that for 802.1x and MAC address filter authentication at the same time there is no need to compare Radius Calling-Station-ID as Craig Hyps mentioned, Right ?

Hi @Jing Hong Li - which Craig Hyps reference are you referring to?  There was a similar posting on this Community Forum this week where someone asked how to do 802.1X but in combination with a MAC address lookup in an Endpoint Identity Group.  

 

Have a read here.

 

 

 

Craig Hyps wrote 

... you can also validate the Calling-Station-Id (MAC address of LAN user) to an allowed list such as Endpoint Identity Group with specific permissions.

This is how it is done. The Calling-Station-Id (MAC address) is assigned to an endpoint ID group and we use this endpoint ID group name in the authorization policy condition.

Great!

 

Thanks hslai,and I will have a test!

 

Hi @Jing Hong Li / @hslai

 

I was unable to find a way to search the Calling-Station-Id in an Endpoint Identity Group DURING an 802.1X authentication.  In the radius packets there is always the Calling-Station-ID - BUT - because this is an 802.1X authentication, the User-Name field is used in all of the lookups.

The solution (as far as I can see) is to perform a MAB auth, and then an 802.1X auth.  The Cisco WLC supports that.  If the MAB auth fails, then the WLC won't even attempt the 802.1X auth.  This means less work for ISE.

The link I sent in a previous comment shows how this is done.

Hi Arne Bier,

 

no need to search Calling-Station-Id, just compare Identity Group name, it works fine.