Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2945
Views
5
Helpful
3
Replies

Cisco ISE 3.0 and alcatel Radius differentiation

Go to solution
old roo
Level 1
Level 1

‎08-25-2021 09:37 PM

Hi all,

 

fairly new to ISE but have done quite a bit of reading up.

I have a problem with setting up the Alcatel Onmi switch rules.

 

When i create a device profile for MAB for the Alcatel switches, the rule says if condition "device is part of group and matches MAB" proceed. The problem is the MAB packet by default isnt the "lookup packet" like cisco devices.

 

To get around this i can create a device profile that looks for the PAP_ASCII field and it changes it to a lookup packet for MAB.

 

However this then creates a problem for remote access for SSH and no longer can log into the switch.

 

Does anyone know of an attribute or condition in radius that would be used by MAB authentication, but would be used by a normal ssh admin session.

 

Wondering if i could add a condition for MAB which would be that the username contains character ":" as the MAC address proceed otherwise drop down to radius user authentication rule for logging in to device.

 

 

Any thoughts welcome

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
old roo
Level 1
Level 1
In response to Octavian Szolga

‎10-14-2021 10:18 AM

Thats what i thought. I ended getting SSH to use TACACS and getting that to work

View solution in original post

0 Helpful
3 Replies 3

Go to solution
old roo
Level 1
Level 1

‎08-26-2021 10:31 AM - edited ‎08-26-2021 10:32 AM

this is the error message when i now try to ssh into device, after allowing ISE to properly match Mab auths to ISE.error.jpg

 

 

If i change Alcatel device profile back, ssh to device works, but MAB fails.

0 Helpful

Go to solution
Octavian Szolga
Level 4
Level 4

‎10-08-2021 10:28 PM

Hi,

 

You most probably have to do a tcpdump from ISE and compare SSH vs MAB scenarios using whireshark

The reason why you're having this issue is that you're using RADIUS for SSH access.

Don't you have a port type radius attribute for the SSH session? Like virtual or something similar? This would be a differentiator.

 

What I'm saying is that you should use the Device Profile Alcatel the way it works for MAB, and change the SSH auth rule to consider some extra attribute in order to differentiate requests inside Policy Set.

 

BR,

Octavian

Go to solution
old roo
Level 1
Level 1
In response to Octavian Szolga

‎10-14-2021 10:18 AM

Thats what i thought. I ended getting SSH to use TACACS and getting that to work

0 Helpful
Customers Also Viewed These Support Documents