Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1524
Views
5
Helpful
8
Replies

User movement notification

Go to solution
Sergey Sakharov
Level 1
Level 1

‎11-15-2017 02:20 AM

Hi!

I have an ISE server and switch environment with dot1x enabled and configured

Is it possible to receive email every time when user authenticates on one port then unplugs cable, plug it in another port (on the same or on the different switch) and authenticates again?

If so, then how could i complete this?

Switches could send snmp traps on ISE and ISE could notify me on some alerts via email, but i can't find mac move alerts in ISE configuration

1 Accepted Solution

Accepted Solutions

Go to solution
gbekmezi-DD
Level 5
Level 5
In response to Sergey Sakharov

‎11-15-2017 09:43 AM

The requirement doesn’t make a lot of sense, but I think you can do it with something like Splunk by correlating logs and alerting based on specific rules. Why does it matter if they move as long as they get the same access to the network anywhere they connect?

View solution in original post

8 Replies 8

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-15-2017 04:29 AM

This is not a capability of ISE

What are you trying to prevent?

0 Helpful

Go to solution
Sergey Sakharov
Level 1
Level 1
In response to Jason Kunst

‎11-15-2017 04:59 AM

Trying to prevent users from moving on their own from one switch port to another one

0 Helpful

Go to solution
ognyan.totev
Level 5
Level 5
In response to Sergey Sakharov

‎11-15-2017 05:06 AM

I think this is not possible ,but the main question is why users have access to the switch and unplug cables or something else . And 1 more thing i mention if they plug or unplug from one port to another you can create authorization policy in ISE always to be assosiated on Vlan you want to use ( if ports are in different VLANS).

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Sergey Sakharov

‎11-15-2017 05:08 AM

This is a network management function and not an ISE function

On the switch you can restrict Mac addresses allowed I believe by first learning and only allowing that MAC address

0 Helpful

Go to solution
Sergey Sakharov
Level 1
Level 1
In response to Jason Kunst

‎11-15-2017 06:08 AM

It's not a useful solution... we have a plenty of users and they move from one office to another (with it support help - officially and without support - that's what we want to eliminate). Every user has PC and ip-phone. And also there is port-security on switch ports with maximum of 2 mac-adresses (any). I don't want to bind mac-adresses to switch ports because it will be a nightmare to administer such environment with officially migrating users. And that's why i'm looking for another solution.

If it's not an ISE then what should it be?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Sergey Sakharov

‎11-15-2017 08:21 AM

Like the others said, this is not a feature in ISE. Please investigate it on Cisco IOS platform support. It might be possible to use EEM (Cisco EEM Basic Overview and Sample Con... - Cisco Support Community) and Cisco Prime Infrastructure or Cisco DNA Center might help in deploying the scripts.

0 Helpful

Go to solution
gbekmezi-DD
Level 5
Level 5
In response to Sergey Sakharov

‎11-15-2017 09:43 AM

The requirement doesn’t make a lot of sense, but I think you can do it with something like Splunk by correlating logs and alerting based on specific rules. Why does it matter if they move as long as they get the same access to the network anywhere they connect?

Go to solution
Sergey Sakharov
Level 1
Level 1
In response to gbekmezi-DD

‎11-15-2017 11:39 PM

Thanks

0 Helpful
Customers Also Viewed These Support Documents