09-05-2018 06:57 AM
Is it possible to use the switch stack membership in an ISE condition. My customer wants to treat authentication differently depending on a stack membership
Solved! Go to Solution.
09-05-2018 07:28 AM
What is the use case here?
There is no RADIUS attribute passed to ISE that says "this is a stacked switch". You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.
If they truly want to do this, they should build a custom NDG group in ISE called "Stacked" and have two sub-NDGs called "Yes" and "No". When the add the switch into ISE they set the stacked NDG value correct and use it in their rules.
09-05-2018 01:02 PM
09-06-2018 06:50 AM - edited 09-06-2018 06:52 AM
There is an attribute on the Catalyst switch that can be manipulated to send custom string if the IOS is of later version. You can modify the NAS-ID (Attribute 32) with following command:
SWITCH(config)#radius-server attribute 32 include-in-access-req format ?
LINE A string where %i = IP address and %h = hostname, %d = domain name
SWITCH(config)#radius-server attribute 32 include-in-access-req format Stack-%h
Above will prefix the NAS-ID with 'Stack-' and the switch hostname and send it along during authentication. Once this is done for all stacked switches, simply create a policy set or rule in ISE that leverages the condition, such as If NAS-ID starts with 'Stack-' then do X.
09-05-2018 07:28 AM
What is the use case here?
There is no RADIUS attribute passed to ISE that says "this is a stacked switch". You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.
If they truly want to do this, they should build a custom NDG group in ISE called "Stacked" and have two sub-NDGs called "Yes" and "No". When the add the switch into ISE they set the stacked NDG value correct and use it in their rules.
09-05-2018 11:42 PM
Thank you very much Paul. I will follow your recommendation.
09-05-2018 11:44 PM
with your recommendation I meant :
There is no RADIUS attribute passed to ISE that says "this is a stacked switch". You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.
09-06-2018 12:37 AM
Be very carefull with using interface id's for anything in a stack, if you have to rebuild the stack, or change a switch in the stack, you run the risk of the numbering changing if you are not careful. Not running stacks is a much better solution to this.
09-06-2018 12:42 AM
Thank you Jan for your warning. Bedankt Jan voor de waarschuwing. :-)
09-05-2018 01:02 PM
09-06-2018 06:50 AM - edited 09-06-2018 06:52 AM
There is an attribute on the Catalyst switch that can be manipulated to send custom string if the IOS is of later version. You can modify the NAS-ID (Attribute 32) with following command:
SWITCH(config)#radius-server attribute 32 include-in-access-req format ?
LINE A string where %i = IP address and %h = hostname, %d = domain name
SWITCH(config)#radius-server attribute 32 include-in-access-req format Stack-%h
Above will prefix the NAS-ID with 'Stack-' and the switch hostname and send it along during authentication. Once this is done for all stacked switches, simply create a policy set or rule in ISE that leverages the condition, such as If NAS-ID starts with 'Stack-' then do X.
09-06-2018 06:59 AM
Great tip! Learned something new today. I can take the rest of the day off now. :)
Thanks!
09-06-2018 07:03 AM
Thank you very much howon. This is the ultimate solution to my question. I will use this in my POC and in a few weeks will let you know how this worked for me.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: