Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1375
Views
15
Helpful
6
Replies

Limiting Device Movement using MAC Address

Go to solution
fdharmawan
Level 4
Level 4

‎06-23-2019 11:28 PM - edited ‎02-21-2020 11:07 AM

Hi Guys,

Is it possible to limit device movement using MAC address? In this case, I want to limit IP phone's movement. The definition of movement is, I want a certain IP phone to connect on a certain switch port. Let's say IP phone A can only connect to Switch A port 1, while IP phone B can only connect to Switch B port 10. IP phone will use voice VLAN while access VLAN also configured on the port, so any user can use the extension port on the back of the IP phone.

I already managed to limit the movement, but only on 1 switch. If I move those IP phones to different switch, the policy will not take effect. The question would be, can I do it centrally? So I do not have to adjust the configuration on every switch. The command would be a long one since I have more than 50 IP phones on deployment with more than 10 switches to be configured. Below is the example of my current command:

mac address-table static 1234.5678.ABCD vlan 10 int te3/0/13
mac address-table static ABCD.EFGH.1234 vlan 10 drop

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee
In response to fdharmawan

‎06-24-2019 05:48 AM

Create two custom attributes; one for NAD IP and another for Interface name

  1. Go to Administration > Identity Management > Settings > Endpoint Custom Attributes
  2. Create two attributes called 'NAD' and 'Interface' with String data type
  3. Go to Context visibility for each of the IP Phone MAC address and fill on the NAD IP and Interface name in the newly created attribute

Create Policy rule for MAB that uses following condition:

RADIUS:NAS-IP-Address(4) == ENDPOINT:NAD
&

RADIUS:NAS-Port-ID(87) == ENDPOINT:Interface

And assign voice domain permission

Above should be enough to lock-in the specific IP phones to specific NAD + Interface

 

Basic idea is same as the instructions in the following link:

https://community.cisco.com/t5/security-documents/dynamic-attribute-with-ise-mac-address-matching/ta-p/3643882

 

View solution in original post

6 Replies 6

Go to solution
howon
Cisco Employee
Cisco Employee

‎06-24-2019 12:11 AM

Are you using RADIUS server like ISE or ACS? Using ISE/ACS will let you manage policy centrally regardless of where IP Phone connects.

Go to solution
fdharmawan
Level 4
Level 4
In response to howon

‎06-24-2019 01:03 AM

Hi howon,

Yes, I'm using ISE v2.3.

From Live Log authentication detail, I saw switch name, switch IP address, and device mac address. But I did not see source port from the switch on the log detail. Can I also set the source port on ISE?
I'm thinking to define the incoming switch address on ISE, but I also set the MAC limitation on local switch, since I did not see any port-like attributes on ISE. Do you think this will work? I will be working on this idea on my environment.

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to fdharmawan

‎06-24-2019 05:48 AM

Create two custom attributes; one for NAD IP and another for Interface name

  1. Go to Administration > Identity Management > Settings > Endpoint Custom Attributes
  2. Create two attributes called 'NAD' and 'Interface' with String data type
  3. Go to Context visibility for each of the IP Phone MAC address and fill on the NAD IP and Interface name in the newly created attribute

Create Policy rule for MAB that uses following condition:

RADIUS:NAS-IP-Address(4) == ENDPOINT:NAD
&

RADIUS:NAS-Port-ID(87) == ENDPOINT:Interface

And assign voice domain permission

Above should be enough to lock-in the specific IP phones to specific NAD + Interface

 

Basic idea is same as the instructions in the following link:

https://community.cisco.com/t5/security-documents/dynamic-attribute-with-ise-mac-address-matching/ta-p/3643882

 

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-24-2019 12:25 AM

Adding to other post

You have 2 options.

 

Option 1 , you need to have centralised identity system which can take care of the policies.

Option2. you need to do manually all over device(which is time consume for adding and removing)

 

My suggestion to have Option1 (look for option in the market)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
fdharmawan
Level 4
Level 4
In response to balaji.bandi

‎06-24-2019 01:08 AM

Hi Balaji,

I have ISE 2.3 installed. On ISE, I should be working on Policy Sets menu, right? Or somewhere else?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to fdharmawan

‎06-24-2019 11:25 AM

follow the other post as suggested. let us know if you need any further assitance.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents