cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

424
Views
15
Helpful
9
Replies
Highlighted
Beginner

Stack-member ISE condition

Is it possible to use the switch stack membership in an ISE condition. My customer wants to treat authentication differently depending on a stack membership

3 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advocate

Re: Stack-member ISE condition

What is the use case here?  

 

There is no RADIUS attribute passed to ISE that says "this is a stacked switch".  You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.

 

If they truly want to do this, they should build a custom NDG group in ISE called "Stacked" and have two sub-NDGs called "Yes" and "No".  When the add the switch into ISE they set the stacked NDG value correct and use it in their rules.

View solution in original post

Highlighted
VIP Advisor

Re: Stack-member ISE condition

An alterntive way around this could be unstacking the switches and giving them each their own management IP. Then going down the same path as Paul, placing them in different device groups to leverage in the policy sets.

View solution in original post

Highlighted
Cisco Employee

Re: Stack-member ISE condition

There is an attribute on the Catalyst switch that can be manipulated to send custom string if the IOS is of later version. You can modify the NAS-ID (Attribute 32) with following command:

SWITCH(config)#radius-server attribute 32 include-in-access-req format ?

  LINE  A string where %i = IP address and %h = hostname, %d = domain name

 

SWITCH(config)#radius-server attribute 32 include-in-access-req format Stack-%h

Above will prefix the NAS-ID with 'Stack-' and the switch hostname and send it along during authentication. Once this is done for all stacked switches, simply create a policy set or rule in ISE that leverages the condition, such as If NAS-ID starts with 'Stack-' then do X.

View solution in original post

9 REPLIES 9
Highlighted
VIP Advocate

Re: Stack-member ISE condition

What is the use case here?  

 

There is no RADIUS attribute passed to ISE that says "this is a stacked switch".  You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.

 

If they truly want to do this, they should build a custom NDG group in ISE called "Stacked" and have two sub-NDGs called "Yes" and "No".  When the add the switch into ISE they set the stacked NDG value correct and use it in their rules.

View solution in original post

Highlighted
Beginner

Re: Stack-member ISE condition

Thank you very much Paul. I will follow your recommendation.

Highlighted
Beginner

Re: Stack-member ISE condition

with your recommendation I meant :

There is no RADIUS attribute passed to ISE that says "this is a stacked switch".  You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.

Highlighted
Rising star

Re: Stack-member ISE condition

Be very carefull with using interface id's for anything in a stack, if you have to rebuild the stack, or change a switch in the stack, you run the risk of the numbering changing if you are not careful. Not running stacks is a much better solution to this.

Highlighted
Beginner

Re: Stack-member ISE condition

Thank you Jan for your warning. Bedankt Jan voor de waarschuwing. :-)

 

Highlighted
VIP Advisor

Re: Stack-member ISE condition

An alterntive way around this could be unstacking the switches and giving them each their own management IP. Then going down the same path as Paul, placing them in different device groups to leverage in the policy sets.

View solution in original post

Highlighted
Cisco Employee

Re: Stack-member ISE condition

There is an attribute on the Catalyst switch that can be manipulated to send custom string if the IOS is of later version. You can modify the NAS-ID (Attribute 32) with following command:

SWITCH(config)#radius-server attribute 32 include-in-access-req format ?

  LINE  A string where %i = IP address and %h = hostname, %d = domain name

 

SWITCH(config)#radius-server attribute 32 include-in-access-req format Stack-%h

Above will prefix the NAS-ID with 'Stack-' and the switch hostname and send it along during authentication. Once this is done for all stacked switches, simply create a policy set or rule in ISE that leverages the condition, such as If NAS-ID starts with 'Stack-' then do X.

View solution in original post

Highlighted
VIP Advocate

Re: Stack-member ISE condition

Great tip!  Learned something new today.  I can take the rest of the day off now.  :)

 

Thanks!

Highlighted
Beginner

Re: Stack-member ISE condition

Thank you very much howon. This is the ultimate solution to my question. I will use this in my POC and in a few weeks will let you know how this worked for me.