cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

791
Views
15
Helpful
9
Replies
dirksmit
Beginner

Stack-member ISE condition

Is it possible to use the switch stack membership in an ISE condition. My customer wants to treat authentication differently depending on a stack membership

3 ACCEPTED SOLUTIONS

Accepted Solutions
paul
Advocate

What is the use case here?  

 

There is no RADIUS attribute passed to ISE that says "this is a stacked switch".  You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.

 

If they truly want to do this, they should build a custom NDG group in ISE called "Stacked" and have two sub-NDGs called "Yes" and "No".  When the add the switch into ISE they set the stacked NDG value correct and use it in their rules.

View solution in original post

Damien Miller
VIP Advisor

An alterntive way around this could be unstacking the switches and giving them each their own management IP. Then going down the same path as Paul, placing them in different device groups to leverage in the policy sets.

View solution in original post

howon
Cisco Employee

There is an attribute on the Catalyst switch that can be manipulated to send custom string if the IOS is of later version. You can modify the NAS-ID (Attribute 32) with following command:

SWITCH(config)#radius-server attribute 32 include-in-access-req format ?

  LINE  A string where %i = IP address and %h = hostname, %d = domain name

 

SWITCH(config)#radius-server attribute 32 include-in-access-req format Stack-%h

Above will prefix the NAS-ID with 'Stack-' and the switch hostname and send it along during authentication. Once this is done for all stacked switches, simply create a policy set or rule in ISE that leverages the condition, such as If NAS-ID starts with 'Stack-' then do X.

View solution in original post

9 REPLIES 9
paul
Advocate

What is the use case here?  

 

There is no RADIUS attribute passed to ISE that says "this is a stacked switch".  You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.

 

If they truly want to do this, they should build a custom NDG group in ISE called "Stacked" and have two sub-NDGs called "Yes" and "No".  When the add the switch into ISE they set the stacked NDG value correct and use it in their rules.

View solution in original post

Thank you very much Paul. I will follow your recommendation.

with your recommendation I meant :

There is no RADIUS attribute passed to ISE that says "this is a stacked switch".  You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.

Be very carefull with using interface id's for anything in a stack, if you have to rebuild the stack, or change a switch in the stack, you run the risk of the numbering changing if you are not careful. Not running stacks is a much better solution to this.

Thank you Jan for your warning. Bedankt Jan voor de waarschuwing. :-)

 

Damien Miller
VIP Advisor

An alterntive way around this could be unstacking the switches and giving them each their own management IP. Then going down the same path as Paul, placing them in different device groups to leverage in the policy sets.

View solution in original post

howon
Cisco Employee

There is an attribute on the Catalyst switch that can be manipulated to send custom string if the IOS is of later version. You can modify the NAS-ID (Attribute 32) with following command:

SWITCH(config)#radius-server attribute 32 include-in-access-req format ?

  LINE  A string where %i = IP address and %h = hostname, %d = domain name

 

SWITCH(config)#radius-server attribute 32 include-in-access-req format Stack-%h

Above will prefix the NAS-ID with 'Stack-' and the switch hostname and send it along during authentication. Once this is done for all stacked switches, simply create a policy set or rule in ISE that leverages the condition, such as If NAS-ID starts with 'Stack-' then do X.

View solution in original post

Great tip!  Learned something new today.  I can take the rest of the day off now.  :)

 

Thanks!

Thank you very much howon. This is the ultimate solution to my question. I will use this in my POC and in a few weeks will let you know how this worked for me.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel