https://community.cisco.com/t5/network-access-control/send-interface-description-to-ise/m-p/3358119#M25653 <P>I had a similar requirement from a customer (tag certain ports to be treated differently), and I was able to utilize the NAS-Port-Type attribute to send a Port-Type other than Ethernet and filter on the new type being sent for those ports.&nbsp; Not ideal, but may be a&nbsp;usable workaround for you.&nbsp; On the switch port, configure with 'radius attribute nas-port-type &lt;type id&gt;'.</P> <P>&nbsp;</P> <P><A href="https://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-13" target="_blank">https://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-13</A></P> Fri, 30 Mar 2018 16:25:46 GMT Joshua Robertson 2018-03-30T16:25:46Z https://community.cisco.com/t5/network-access-control/send-interface-description-to-ise/m-p/3093103#M25650 <P>Hi,</P> <P></P> <P>Does anyone know if it is possible to send an interface description to ISE as part of the RADIUS access request?</P> <P></P> <P>The interface ID is included in various elements e.g. 'nas-port-id' and 'cisco-nas-port', but not the description.</P> <P></P> <P>Intent would be to 'tag' an interface for a special use-case, and ISE would match this to apply specific policy.</P> <P></P> <P>Cheers.</P> Mon, 11 Mar 2019 07:53:18 GMT https://community.cisco.com/t5/network-access-control/send-interface-description-to-ise/m-p/3093103#M25650 2019-03-11T07:53:18Z https://community.cisco.com/t5/network-access-control/send-interface-description-to-ise/m-p/3093104#M25651 <P>Hi,</P> <P>There is a feature called "<G class="gr_ gr_67 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="67" data-gr-id="67">Vlan</G>-ID based MAC authentication" that is available only for MAB authentication.</P> <P>Using this we can send the <G class="gr_ gr_94 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="94" data-gr-id="94">Vlan</G> id to Radius Server but not in attribute 81 but attribute 32.</P> <P></P> <P>More info on this link:</P> <P></P> <P>http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/sw8021x.html#wp1275357</P> <P></P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p2"><SPAN class="s1"></SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Tue, 25 Jul 2017 04:36:52 GMT https://community.cisco.com/t5/network-access-control/send-interface-description-to-ise/m-p/3093104#M25651 Aditya Ganjoo 2017-07-25T04:36:52Z https://community.cisco.com/t5/network-access-control/send-interface-description-to-ise/m-p/3093105#M25652 <P>Thanks Aditya.</P> <P></P> <P>This is a great suggestion however&nbsp;ideally we would want to use something that doesn't have an operational impact.</P> <P></P> <P></P> <P>We use standardised interface&nbsp;configurations with the same access VLAN across our environment.&nbsp;</P> <P></P> <P>In order to stage changes, it would be ideal if for example we could tag multiple interfaces locally, and have ISE apply policy based on this.</P> <P></P> <P>Currently we use a match on network device and interface, but this gets complicated for more than a few interfaces.</P> <P></P> <P>So rather than:</P> <P></P> <P>IF switch X interface A OR switch X interface B OR switch Y interface A THEN test_policy</P> <P></P> <P>we use something like&nbsp;:</P> <P></P> <P>IF interface_tag THEN test_policy</P> <P></P> <P></P> <P>Say we were testing a specific DACL, we wouldn't necessarily want to modify the access VLAN, as it wouldn't be representative of the final setup.</P> <P></P> <P>To me the requirement is similar to VLAN-ID based MAC authentication, in that we are sending information from the locally configured interface, just rather than VLAN ID it is another attribute, e.g. interface description.</P> <P></P> <P>Hopefully I've explained in a concise manner, but if you have questions please let me know.</P> <P></P> <P></P> <P>Cheers.</P> Tue, 25 Jul 2017 10:51:24 GMT https://community.cisco.com/t5/network-access-control/send-interface-description-to-ise/m-p/3093105#M25652 2017-07-25T10:51:24Z https://community.cisco.com/t5/network-access-control/send-interface-description-to-ise/m-p/3358119#M25653 <P>I had a similar requirement from a customer (tag certain ports to be treated differently), and I was able to utilize the NAS-Port-Type attribute to send a Port-Type other than Ethernet and filter on the new type being sent for those ports.&nbsp; Not ideal, but may be a&nbsp;usable workaround for you.&nbsp; On the switch port, configure with 'radius attribute nas-port-type &lt;type id&gt;'.</P> <P>&nbsp;</P> <P><A href="https://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-13" target="_blank">https://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-13</A></P> Fri, 30 Mar 2018 16:25:46 GMT https://community.cisco.com/t5/network-access-control/send-interface-description-to-ise/m-p/3358119#M25653 Joshua Robertson 2018-03-30T16:25:46Z