Solved: Re: ISE 2.4 Policy using nas-port-id

Evanjrosado · ‎05-23-2019

Hi,

looking out there to see if anyone has used RADIUS attribute, nas-port-id in an authorization policy to lock down switch port access to specific devices. We deployed a few Cisco, 12 port, 3560-CX switches in our conference rooms and have integrated them with our ISE 2.4 RADIUS servers. Here's an example of what i'm thinking of implementing.

Authentication
- DOT1x with PEAP-EAP, MS-CHAPV2
Authorization
- if device is in external group <AD group name>, and
- if nas-port-id is within range gigabitethernet0/1 through gigabitethernet0/10
Authorization Result
- DACL with access needed

paul · ‎05-24-2019

I have done NAS port ID before as well. You can also create a specific location or device type for these conference room switches to tie that into the rule as well.

One other though that works well is this:

Put the conference room ports on an Internet only VLAN.
If Dot1x device plugs in, i.e. corporate device, move them to corporate VLAN.

View solution in original post

Damien Miller · ‎05-23-2019

I've used it in the lab to target a specific port with no issue, but never in production. From a policy perspective it works, you will have to decide if it works or not from a design perspective.

In the current state anything with port numbers would hit, I would still add network access device name/ip.

paul · ‎05-24-2019

I have done NAS port ID before as well. You can also create a specific location or device type for these conference room switches to tie that into the rule as well.

One other though that works well is this:

Put the conference room ports on an Internet only VLAN.
If Dot1x device plugs in, i.e. corporate device, move them to corporate VLAN.