Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1389
Views
0
Helpful
3
Replies

Send interface description to ISE.

Not applicable

‎07-24-2017 08:29 PM - last edited on ‎03-11-2019 12:53 AM by

Hi,

Does anyone know if it is possible to send an interface description to ISE as part of the RADIUS access request?

The interface ID is included in various elements e.g. 'nas-port-id' and 'cisco-nas-port', but not the description.

Intent would be to 'tag' an interface for a special use-case, and ISE would match this to apply specific policy.

Cheers.

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-24-2017 09:36 PM

Hi,

There is a feature called "Vlan-ID based MAC authentication" that is available only for MAB authentication.

Using this we can send the Vlan id to Radius Server but not in attribute 81 but attribute 32.

More info on this link:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/sw8021x.html#wp1275357

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

Not applicable
In response to Aditya Ganjoo

‎07-25-2017 03:51 AM

Thanks Aditya.

This is a great suggestion however ideally we would want to use something that doesn't have an operational impact.

We use standardised interface configurations with the same access VLAN across our environment. 

In order to stage changes, it would be ideal if for example we could tag multiple interfaces locally, and have ISE apply policy based on this.

Currently we use a match on network device and interface, but this gets complicated for more than a few interfaces.

So rather than:

IF switch X interface A OR switch X interface B OR switch Y interface A THEN test_policy

we use something like :

IF interface_tag THEN test_policy

Say we were testing a specific DACL, we wouldn't necessarily want to modify the access VLAN, as it wouldn't be representative of the final setup.

To me the requirement is similar to VLAN-ID based MAC authentication, in that we are sending information from the locally configured interface, just rather than VLAN ID it is another attribute, e.g. interface description.

Hopefully I've explained in a concise manner, but if you have questions please let me know.

Cheers.

0 Helpful

Joshua Robertson
Level 1
Level 1

‎03-30-2018 08:36 AM - edited ‎03-30-2018 09:25 AM

I had a similar requirement from a customer (tag certain ports to be treated differently), and I was able to utilize the NAS-Port-Type attribute to send a Port-Type other than Ethernet and filter on the new type being sent for those ports.  Not ideal, but may be a usable workaround for you.  On the switch port, configure with 'radius attribute nas-port-type <type id>'.

 

https://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-13

0 Helpful
Customers Also Viewed These Support Documents