09-05-2018 06:57 AM
Is it possible to use the switch stack membership in an ISE condition. My customer wants to treat authentication differently depending on a stack membership
Solved! Go to Solution.
09-05-2018 07:28 AM
What is the use case here?
There is no RADIUS attribute passed to ISE that says "this is a stacked switch". You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.
If they truly want to do this, they should build a custom NDG group in ISE called "Stacked" and have two sub-NDGs called "Yes" and "No". When the add the switch into ISE they set the stacked NDG value correct and use it in their rules.
09-05-2018 01:02 PM
09-06-2018 06:50 AM - edited 09-06-2018 06:52 AM
There is an attribute on the Catalyst switch that can be manipulated to send custom string if the IOS is of later version. You can modify the NAS-ID (Attribute 32) with following command:
SWITCH(config)#radius-server attribute 32 include-in-access-req format ?
LINE A string where %i = IP address and %h = hostname, %d = domain name
SWITCH(config)#radius-server attribute 32 include-in-access-req format Stack-%h
Above will prefix the NAS-ID with 'Stack-' and the switch hostname and send it along during authentication. Once this is done for all stacked switches, simply create a policy set or rule in ISE that leverages the condition, such as If NAS-ID starts with 'Stack-' then do X.
09-05-2018 07:28 AM
What is the use case here?
There is no RADIUS attribute passed to ISE that says "this is a stacked switch". You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.
If they truly want to do this, they should build a custom NDG group in ISE called "Stacked" and have two sub-NDGs called "Yes" and "No". When the add the switch into ISE they set the stacked NDG value correct and use it in their rules.
09-05-2018 11:42 PM
Thank you very much Paul. I will follow your recommendation.
09-05-2018 11:44 PM
with your recommendation I meant :
There is no RADIUS attribute passed to ISE that says "this is a stacked switch". You could infer stacking by looking at the NAD Port ID starting with 2/, 3/ or something like that but that wouldn't help as 1/ could be a stack or stand alone.
09-06-2018 12:37 AM
Be very carefull with using interface id's for anything in a stack, if you have to rebuild the stack, or change a switch in the stack, you run the risk of the numbering changing if you are not careful. Not running stacks is a much better solution to this.
09-06-2018 12:42 AM
Thank you Jan for your warning. Bedankt Jan voor de waarschuwing. :-)
09-05-2018 01:02 PM
09-06-2018 06:50 AM - edited 09-06-2018 06:52 AM
There is an attribute on the Catalyst switch that can be manipulated to send custom string if the IOS is of later version. You can modify the NAS-ID (Attribute 32) with following command:
SWITCH(config)#radius-server attribute 32 include-in-access-req format ?
LINE A string where %i = IP address and %h = hostname, %d = domain name
SWITCH(config)#radius-server attribute 32 include-in-access-req format Stack-%h
Above will prefix the NAS-ID with 'Stack-' and the switch hostname and send it along during authentication. Once this is done for all stacked switches, simply create a policy set or rule in ISE that leverages the condition, such as If NAS-ID starts with 'Stack-' then do X.
09-06-2018 06:59 AM
Great tip! Learned something new today. I can take the rest of the day off now. :)
Thanks!
09-06-2018 07:03 AM
Thank you very much howon. This is the ultimate solution to my question. I will use this in my POC and in a few weeks will let you know how this worked for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide