Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE 1.2 disable endpoints with certain mac address

Hi All,

 

We have an AD to authenticate for wireless users. In AD, we have specified to block the user if the password is entered wrongly for more than 3 times. The problem is some of them are using other user ID and locking the accounts. I have gotten the MAC address of the user. Can anyone please advise how to block the request from this MAC from even reaching the AD.

 

Thanks

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

You have two options from ISE

You have two options from ISE and one option from the WLC:

The first option which is not very scalable is to modify your authentication policy to deny access to an specific MAC address(Radius:Calling station ID). But this is not very scalable as you can only specify one MAC address.

Your second option is to enable the anomalous client suppression(under systems->settings->protocols->RADIUS). This will be your best option but it would require a bit of testing to identify what are the best values for your environment.

From the controller you can enable the excessive 802.1x authentication failures. By default it won't even send the fourth authentication to ISE for a failing endpoint:

 

Here you will need to modify the exclusion timer to something high as the default is 60 sec.

5 REPLIES

In the end point identity,

In the end point identity, assign the MAC as blacklisted , from static assignment.

New Member

HiThanks for the reply. But

Hi

Thanks for the reply. But in ISE, it will check authentication first followed by authorization. So it is still sending a request to AD before authorization. Hence the account will be locked.

New Member

You have two options from ISE

You have two options from ISE and one option from the WLC:

The first option which is not very scalable is to modify your authentication policy to deny access to an specific MAC address(Radius:Calling station ID). But this is not very scalable as you can only specify one MAC address.

Your second option is to enable the anomalous client suppression(under systems->settings->protocols->RADIUS). This will be your best option but it would require a bit of testing to identify what are the best values for your environment.

From the controller you can enable the excessive 802.1x authentication failures. By default it won't even send the fourth authentication to ISE for a failing endpoint:

 

Here you will need to modify the exclusion timer to something high as the default is 60 sec.

Bronze

 Hi,Then, In DHCP server you

 

Hi,

Then, In DHCP server you can filter this MAC address to block requests reaching to the AD.

New Member

Hi,Though first option is not

Hi,

Though first option is not scalable, I think it is the best bet I have got.

There are students using one another accounts (e.g say friend's user name is George) they are using this as the user name and blocking their's friend  account. 

So second and third option will not be applicable to me.

 

Thanks

1246
Views
0
Helpful
5
Replies
CreatePlease to create content