cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2331
Views
0
Helpful
1
Replies

Port Bounce using ISE Policy Advanced Attribute Settings

mark373737
Beginner
Beginner

Hi All,

We have a software issue where a certain type of vendor device randomly starts using an incorrect source MAC address. A manual port-bounce cures the problem...and afterwards the device types uses the correct source MAC address. So I'd like to replicate this in ISE policy. The device types always use the same incorrect source mac address which occurs across the network.

I have created an ISE policy that looks for the incorrect MAC address (which i have put into an Endpoint Group) and if found applies the policy.

So I now need to make the policy itself do a port-bounce.

I have found information that suggests you can issue a port bounce under ISE Policy elements (Advanced Attribute Settings) as follows:

Cisco:Avpair=“subscriber:command=bounce-host-port”

That works OK but this command needs an accompanying session identifier, else the port bounce fails with a Disconnect NAK (which I am seeing) According to Cisco, this session identifier can use:

  • Calling-Station-Id (IETF attribute #31 which contains the host MAC address)
  • Audit-Session-Id (Cisco VSA)
  • Acct-Session-Id (IETF attribute #44)

However I don't see how to get any of those above into the Advanced Attribute Settings format.

Any advice welcome!

M

1 Reply 1

JAMES THOMAS
Beginner
Beginner

did you get this working?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers