cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

508
Views
15
Helpful
6
Replies
Beginner

Limiting Device Movement using MAC Address

Hi Guys,

Is it possible to limit device movement using MAC address? In this case, I want to limit IP phone's movement. The definition of movement is, I want a certain IP phone to connect on a certain switch port. Let's say IP phone A can only connect to Switch A port 1, while IP phone B can only connect to Switch B port 10. IP phone will use voice VLAN while access VLAN also configured on the port, so any user can use the extension port on the back of the IP phone.

I already managed to limit the movement, but only on 1 switch. If I move those IP phones to different switch, the policy will not take effect. The question would be, can I do it centrally? So I do not have to adjust the configuration on every switch. The command would be a long one since I have more than 50 IP phones on deployment with more than 10 switches to be configured. Below is the example of my current command:

mac address-table static 1234.5678.ABCD vlan 10 int te3/0/13
mac address-table static ABCD.EFGH.1234 vlan 10 drop

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Limiting Device Movement using MAC Address

Create two custom attributes; one for NAD IP and another for Interface name

  1. Go to Administration > Identity Management > Settings > Endpoint Custom Attributes
  2. Create two attributes called 'NAD' and 'Interface' with String data type
  3. Go to Context visibility for each of the IP Phone MAC address and fill on the NAD IP and Interface name in the newly created attribute

Create Policy rule for MAB that uses following condition:

RADIUS:NAS-IP-Address(4) == ENDPOINT:NAD
&

RADIUS:NAS-Port-ID(87) == ENDPOINT:Interface

And assign voice domain permission

Above should be enough to lock-in the specific IP phones to specific NAD + Interface

 

Basic idea is same as the instructions in the following link:

https://community.cisco.com/t5/security-documents/dynamic-attribute-with-ise-mac-address-matching/ta-p/3643882

 

View solution in original post

6 REPLIES 6
Cisco Employee

Re: Limiting Device Movement using MAC Address

Are you using RADIUS server like ISE or ACS? Using ISE/ACS will let you manage policy centrally regardless of where IP Phone connects.

Beginner

Re: Limiting Device Movement using MAC Address

Hi howon,

Yes, I'm using ISE v2.3.

From Live Log authentication detail, I saw switch name, switch IP address, and device mac address. But I did not see source port from the switch on the log detail. Can I also set the source port on ISE?
I'm thinking to define the incoming switch address on ISE, but I also set the MAC limitation on local switch, since I did not see any port-like attributes on ISE. Do you think this will work? I will be working on this idea on my environment.

Highlighted
Cisco Employee

Re: Limiting Device Movement using MAC Address

Create two custom attributes; one for NAD IP and another for Interface name

  1. Go to Administration > Identity Management > Settings > Endpoint Custom Attributes
  2. Create two attributes called 'NAD' and 'Interface' with String data type
  3. Go to Context visibility for each of the IP Phone MAC address and fill on the NAD IP and Interface name in the newly created attribute

Create Policy rule for MAB that uses following condition:

RADIUS:NAS-IP-Address(4) == ENDPOINT:NAD
&

RADIUS:NAS-Port-ID(87) == ENDPOINT:Interface

And assign voice domain permission

Above should be enough to lock-in the specific IP phones to specific NAD + Interface

 

Basic idea is same as the instructions in the following link:

https://community.cisco.com/t5/security-documents/dynamic-attribute-with-ise-mac-address-matching/ta-p/3643882

 

View solution in original post

VIP Advisor

Re: Limiting Device Movement using MAC Address

Adding to other post

You have 2 options.

 

Option 1 , you need to have centralised identity system which can take care of the policies.

Option2. you need to do manually all over device(which is time consume for adding and removing)

 

My suggestion to have Option1 (look for option in the market)

BB
*** Rate All Helpful Responses ***
Beginner

Re: Limiting Device Movement using MAC Address

Hi Balaji,

I have ISE 2.3 installed. On ISE, I should be working on Policy Sets menu, right? Or somewhere else?

VIP Advisor

Re: Limiting Device Movement using MAC Address

follow the other post as suggested. let us know if you need any further assitance.

BB
*** Rate All Helpful Responses ***