- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2018 11:22 PM - edited 02-21-2020 11:02 AM
REF: Re: 802.1X AND MAC address Authenticati...
Is this still available for ISE 2.3 and later version ? I can set the condition to be Radius·Calling-Station-ID, but can not set the value to be a Endpoint identity Groups:{Groups_Name},Can you please help to provide the policy detail ? Thanks!
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2018 08:27 AM
Yes, ISE 2.3 uses the dictionary attribute IdentityGroup.Name as shown below:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2018 08:27 AM
Yes, ISE 2.3 uses the dictionary attribute IdentityGroup.Name as shown below:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2018 04:57 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2018 03:55 AM
Hi @Jing Hong Li - which Craig Hyps reference are you referring to? There was a similar posting on this Community Forum this week where someone asked how to do 802.1X but in combination with a MAC address lookup in an Endpoint Identity Group.
Have a read here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2018 04:18 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2018 04:38 PM
Craig Hyps wrote
... you can also validate the Calling-Station-Id (MAC address of LAN user) to an allowed list such as Endpoint Identity Group with specific permissions.
This is how it is done. The Calling-Station-Id (MAC address) is assigned to an endpoint ID group and we use this endpoint ID group name in the authorization policy condition.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2018 09:26 PM
Great!
Thanks hslai,and I will have a test!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2018 02:09 PM
Hi @Jing Hong Li / @hslai
I was unable to find a way to search the Calling-Station-Id in an Endpoint Identity Group DURING an 802.1X authentication. In the radius packets there is always the Calling-Station-ID - BUT - because this is an 802.1X authentication, the User-Name field is used in all of the lookups.
The solution (as far as I can see) is to perform a MAB auth, and then an 802.1X auth. The Cisco WLC supports that. If the MAB auth fails, then the WLC won't even attempt the 802.1X auth. This means less work for ISE.
The link I sent in a previous comment shows how this is done.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2019 06:46 PM
Hi Arne Bier,
no need to search Calling-Station-Id, just compare Identity Group name, it works fine.
