cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1847
Views
15
Helpful
9
Replies

Stack-member ISE condition

dirksmit
Level 1
Level 1

Is it possible to use the switch stack membership in an ISE condition. My customer wants to treat authentication differently depending on a stack membership

3 Accepted Solutions

Accepted Solutions

paul
Level 10
Level 10

What is the use case here?  

 

There is no RADIUS attribute passed to ISE that says "this is a stacked switch".  You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.

 

If they truly want to do this, they should build a custom NDG group in ISE called "Stacked" and have two sub-NDGs called "Yes" and "No".  When the add the switch into ISE they set the stacked NDG value correct and use it in their rules.

View solution in original post

Damien Miller
VIP Alumni
VIP Alumni
An alterntive way around this could be unstacking the switches and giving them each their own management IP. Then going down the same path as Paul, placing them in different device groups to leverage in the policy sets.

View solution in original post

howon
Cisco Employee
Cisco Employee

There is an attribute on the Catalyst switch that can be manipulated to send custom string if the IOS is of later version. You can modify the NAS-ID (Attribute 32) with following command:

SWITCH(config)#radius-server attribute 32 include-in-access-req format ?

  LINE  A string where %i = IP address and %h = hostname, %d = domain name

 

SWITCH(config)#radius-server attribute 32 include-in-access-req format Stack-%h

Above will prefix the NAS-ID with 'Stack-' and the switch hostname and send it along during authentication. Once this is done for all stacked switches, simply create a policy set or rule in ISE that leverages the condition, such as If NAS-ID starts with 'Stack-' then do X.

View solution in original post

9 Replies 9

paul
Level 10
Level 10

What is the use case here?  

 

There is no RADIUS attribute passed to ISE that says "this is a stacked switch".  You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.

 

If they truly want to do this, they should build a custom NDG group in ISE called "Stacked" and have two sub-NDGs called "Yes" and "No".  When the add the switch into ISE they set the stacked NDG value correct and use it in their rules.

Thank you very much Paul. I will follow your recommendation.

with your recommendation I meant :

There is no RADIUS attribute passed to ISE that says "this is a stacked switch".  You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.

Be very carefull with using interface id's for anything in a stack, if you have to rebuild the stack, or change a switch in the stack, you run the risk of the numbering changing if you are not careful. Not running stacks is a much better solution to this.

Thank you Jan for your warning. Bedankt Jan voor de waarschuwing. :-)

 

Damien Miller
VIP Alumni
VIP Alumni
An alterntive way around this could be unstacking the switches and giving them each their own management IP. Then going down the same path as Paul, placing them in different device groups to leverage in the policy sets.

howon
Cisco Employee
Cisco Employee

There is an attribute on the Catalyst switch that can be manipulated to send custom string if the IOS is of later version. You can modify the NAS-ID (Attribute 32) with following command:

SWITCH(config)#radius-server attribute 32 include-in-access-req format ?

  LINE  A string where %i = IP address and %h = hostname, %d = domain name

 

SWITCH(config)#radius-server attribute 32 include-in-access-req format Stack-%h

Above will prefix the NAS-ID with 'Stack-' and the switch hostname and send it along during authentication. Once this is done for all stacked switches, simply create a policy set or rule in ISE that leverages the condition, such as If NAS-ID starts with 'Stack-' then do X.

Great tip!  Learned something new today.  I can take the rest of the day off now.  :)

 

Thanks!

Thank you very much howon. This is the ultimate solution to my question. I will use this in my POC and in a few weeks will let you know how this worked for me.