Solved: Re: ISE authentication condition "mac start with"

Quarkine · ‎11-28-2024

Hey Guys,

I have a question regarding conditions, and I didn’t find anything about it in the documentation.

When we create a condition like calling-station-id, there are multiple options, such as starts with and begins with, which I understand.

One of the options is "MAC starts with," as shown in the image.

"I know the calling station ID is the MAC address of the device, but what exactly does this option do? Some network devices send the MAC address to RADIUS in this format: xx-xx-xx-xx-xx-xx, while others use this format: xx:xx:xx:xx:xx:xx.

Which format does 'MAC start with' use?"

Arne Bier · ‎11-28-2024

The "Mac ..." conditions are special, since they don't care which delimiters are used. I verified this using radclient to send MAB request with MAC address '-' and ':' delimiters - each time it matched the same Rule

Sending with '-'

abier@rnolabubu-01:~$ echo "User-name = '00-11-22-00-00-ff',User-Password = '00-11-22-00-00-ff',NAS-IP-Address = 172.22.128.120,Packet-Src-IP-Address = 172.22.128.120,Calling-Station-ID = '00-11-22-00-00-ff'" | /usr/bin/radclient -x 172.22.131.174:1812 auth cisco123
Sent Access-Request Id 246 from 172.22.128.120:35384 to 172.22.131.174:1812 length 116
        User-Name = "00-11-22-00-00-ff"
        User-Password = "00-11-22-00-00-ff"
        NAS-IP-Address = 172.22.128.120
        Packet-Src-IP-Address = 172.22.128.120
        Calling-Station-Id = "00-11-22-00-00-ff"
        Cleartext-Password = "00-11-22-00-00-ff"
Received Access-Accept Id 246 from 172.22.131.174:1812 to 172.22.128.120:35384 length 170
        User-Name = "00-11-22-00-00-FF"
        Class = 0x434143533a616331363833616562757431744c5759396f76727355424147477554627a3567516f4456646c33706d375376373949596d4c773a726e6f6c616269736530312f3532313934343536312f34393033
        Message-Authenticator = 0xb27f1a26a1787ba9b45552d07cc21cee
        Cisco-AVPair = "profile-name=Unknown"

Sending with ':'

abier@rnolabubu-01:~$ echo "User-name = '00-11-22-00-00-ff',User-Password = '00-11-22-00-00-ff',NAS-IP-Address = 172.22.128.120,Packet-Src-IP-Address = 172.22.128.120,Calling-Station-ID = '00:11:22:00:00:ff'" | /usr/bin/radclient -x 172.22.131.174:1812 auth cisco123
Sent Access-Request Id 233 from 172.22.128.120:40758 to 172.22.131.174:1812 length 116
        User-Name = "00-11-22-00-00-ff"
        User-Password = "00-11-22-00-00-ff"
        NAS-IP-Address = 172.22.128.120
        Packet-Src-IP-Address = 172.22.128.120
        Calling-Station-Id = "00:11:22:00:00:ff"
        Cleartext-Password = "00-11-22-00-00-ff"
Received Access-Accept Id 233 from 172.22.131.174:1812 to 172.22.128.120:40758 length 170
        User-Name = "00-11-22-00-00-FF"
        Class = 0x434143533a61633136383361656645696f485a6a5834426569772f59554d772f53695a653559354f365f68377668785176346f774c456c303a726e6f6c616269736530312f3532313934343536312f34393034
        Message-Authenticator = 0x5e5627e31f99787aedaf24e063def4a2
        Cisco-AVPair = "profile-name=Unknown"

View solution in original post

Arne Bier · ‎11-28-2024

The "Mac ..." conditions are special, since they don't care which delimiters are used. I verified this using radclient to send MAB request with MAC address '-' and ':' delimiters - each time it matched the same Rule

Sending with '-'

abier@rnolabubu-01:~$ echo "User-name = '00-11-22-00-00-ff',User-Password = '00-11-22-00-00-ff',NAS-IP-Address = 172.22.128.120,Packet-Src-IP-Address = 172.22.128.120,Calling-Station-ID = '00-11-22-00-00-ff'" | /usr/bin/radclient -x 172.22.131.174:1812 auth cisco123
Sent Access-Request Id 246 from 172.22.128.120:35384 to 172.22.131.174:1812 length 116
        User-Name = "00-11-22-00-00-ff"
        User-Password = "00-11-22-00-00-ff"
        NAS-IP-Address = 172.22.128.120
        Packet-Src-IP-Address = 172.22.128.120
        Calling-Station-Id = "00-11-22-00-00-ff"
        Cleartext-Password = "00-11-22-00-00-ff"
Received Access-Accept Id 246 from 172.22.131.174:1812 to 172.22.128.120:35384 length 170
        User-Name = "00-11-22-00-00-FF"
        Class = 0x434143533a616331363833616562757431744c5759396f76727355424147477554627a3567516f4456646c33706d375376373949596d4c773a726e6f6c616269736530312f3532313934343536312f34393033
        Message-Authenticator = 0xb27f1a26a1787ba9b45552d07cc21cee
        Cisco-AVPair = "profile-name=Unknown"

Sending with ':'

abier@rnolabubu-01:~$ echo "User-name = '00-11-22-00-00-ff',User-Password = '00-11-22-00-00-ff',NAS-IP-Address = 172.22.128.120,Packet-Src-IP-Address = 172.22.128.120,Calling-Station-ID = '00:11:22:00:00:ff'" | /usr/bin/radclient -x 172.22.131.174:1812 auth cisco123
Sent Access-Request Id 233 from 172.22.128.120:40758 to 172.22.131.174:1812 length 116
        User-Name = "00-11-22-00-00-ff"
        User-Password = "00-11-22-00-00-ff"
        NAS-IP-Address = 172.22.128.120
        Packet-Src-IP-Address = 172.22.128.120
        Calling-Station-Id = "00:11:22:00:00:ff"
        Cleartext-Password = "00-11-22-00-00-ff"
Received Access-Accept Id 233 from 172.22.131.174:1812 to 172.22.128.120:40758 length 170
        User-Name = "00-11-22-00-00-FF"
        Class = 0x434143533a61633136383361656645696f485a6a5834426569772f59554d772f53695a653559354f365f68377668785176346f774c456c303a726e6f6c616269736530312f3532313934343536312f34393034
        Message-Authenticator = 0x5e5627e31f99787aedaf24e063def4a2
        Cisco-AVPair = "profile-name=Unknown"

Quarkine · ‎11-29-2024

thank you, this will save me good amount of time.