cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

849
Views
0
Helpful
2
Replies
Highlighted
Beginner

ISE 2.4 Policy using nas-port-id

Hi,

looking out there to see if anyone has used RADIUS attribute, nas-port-id in an authorization policy to lock down switch port access to specific devices. We deployed a few Cisco, 12 port, 3560-CX switches in our conference rooms and have integrated them with our ISE 2.4 RADIUS servers. Here's an example of what i'm thinking of implementing. 

 

  • Authentication
    • DOT1x with PEAP-EAP, MS-CHAPV2
  • Authorization
    • if device is in external group <AD group name>, and

    • if nas-port-id is within range gigabitethernet0/1 through gigabitethernet0/10

  • Authorization Result
    • DACL with access needed

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Re: ISE 2.4 Policy using nas-port-id

I have done NAS port ID before as well.  You can also create a specific location or device type for these conference room switches to tie that into the rule as well.

 

One other though that works well is this:

 

  1. Put the conference room ports on an Internet only VLAN.
  2. If Dot1x device plugs in, i.e. corporate device, move them to corporate VLAN.

View solution in original post

2 REPLIES 2
Highlighted
VIP Advisor

Re: ISE 2.4 Policy using nas-port-id

I've used it in the lab to target a specific port with no issue, but never in production. From a policy perspective it works, you will have to decide if it works or not from a design perspective.

In the current state anything with port numbers would hit, I would still add network access device name/ip.
Highlighted
VIP Advocate

Re: ISE 2.4 Policy using nas-port-id

I have done NAS port ID before as well.  You can also create a specific location or device type for these conference room switches to tie that into the rule as well.

 

One other though that works well is this:

 

  1. Put the conference room ports on an Internet only VLAN.
  2. If Dot1x device plugs in, i.e. corporate device, move them to corporate VLAN.

View solution in original post