Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2750
Views
0
Helpful
1
Replies

Port Bounce using ISE Policy Advanced Attribute Settings

mark373737
Level 1
Level 1

‎11-11-2016 06:46 AM - edited ‎03-11-2019 12:13 AM

Hi All,

We have a software issue where a certain type of vendor device randomly starts using an incorrect source MAC address. A manual port-bounce cures the problem...and afterwards the device types uses the correct source MAC address. So I'd like to replicate this in ISE policy. The device types always use the same incorrect source mac address which occurs across the network.

I have created an ISE policy that looks for the incorrect MAC address (which i have put into an Endpoint Group) and if found applies the policy.

So I now need to make the policy itself do a port-bounce.

I have found information that suggests you can issue a port bounce under ISE Policy elements (Advanced Attribute Settings) as follows:

Cisco:Avpair=“subscriber:command=bounce-host-port”

That works OK but this command needs an accompanying session identifier, else the port bounce fails with a Disconnect NAK (which I am seeing) According to Cisco, this session identifier can use:

  • Calling-Station-Id (IETF attribute #31 which contains the host MAC address)
  • Audit-Session-Id (Cisco VSA)
  • Acct-Session-Id (IETF attribute #44)

However I don't see how to get any of those above into the Advanced Attribute Settings format.

Any advice welcome!

M

3 people had this problem
Labels:
0 Helpful
1 Reply 1

JAMES THOMAS
Level 1
Level 1

‎07-01-2021 11:34 AM

did you get this working?

0 Helpful
Customers Also Viewed These Support Documents