topic Re: ISE Authz for AC 4.7 UDID in Network Access Control

ISE Authz for AC 4.7 UDID

VVVENKAT — Tue, 28 May 2019 10:45:54 GMT

With AnyConnect 4.7 sending UDID to ISE, one of my customer would like to use the same in AuthZ condition and check against SQL db before granting complete access. The UDID is sent as "PhoneID" by AnyConnect. Just wanted to confirm if I can create a custom user attribute with internal name as PhoneID and write an AuthZ to check the value against SQL db.

Many Thanks

V.Venkata Manikandan

Re: ISE Authz for AC 4.7 UDID

Jason Kunst — Tue, 28 May 2019 21:54:20 GMT

I don’t think this is possible but will check with the SME

Re: ISE Authz for AC 4.7 UDID

VVVENKAT — Tue, 28 May 2019 23:25:06 GMT

Thanks Jason. Will wait for the response.

Many Thanks

V.Venkata Manikandan

Re: ISE Authz for AC 4.7 UDID

VVVENKAT — Wed, 29 May 2019 07:32:38 GMT

Hi Jason,

Also, is this PhoneID exposed via ISE API or PxGrid Session Object?

Many Thanks

V.Venkata Manikandan

Re: ISE Authz for AC 4.7 UDID

Nidhi — Mon, 03 Jun 2019 14:45:05 GMT

UDID is not exposed via API.

Also, regarding your initial query , as Jason mentioned, you cannot use the UDID attribute in Authz profile today.

The use use case we support today is with Posture condition wherein we can manually add the UDID to AD attribute and use it to get compliance information from AD.

Thanks,

Nidhi

Re: ISE Authz for AC 4.7 UDID

toyip — Tue, 13 Jul 2021 19:33:17 GMT

Hi Nidhi,

Got a customer looking to use the UDID in the posture condition. Do you have a working example of how this is done as you stated above?

Re: ISE Authz for AC 4.7 UDID

Marcelo Morais — Tue, 13 Jul 2021 23:30:43 GMT

Hi @toyip ,

I haven't tried the following yet, but it's worth a shot ...

. insert the UDID in the description field (fo ex.:) of an user.

ISE

. Administration > Identity Management > External Identity Sources > Active Directory > select your AD, at Attributes tab, select an attribute from AD (for ex.: description)

. Policy > Policy Sets > select you policy > Authorization Policy:

- Condition:

Cisco.cisco-av-pair CONTAINS <your AD>.description

Note: in this case the Cisco.cisco-av-pair has the UDID of the user.

Hope this helps !!!

Re: ISE Authz for AC 4.7 UDID

toyip — Wed, 14 Jul 2021 16:50:35 GMT

Hi Marcelo,

Thanks for your reply. I thought the UDID was part of a posture condition as suggested by the other folks in this thread. But your suggestion says otherwise (no posturing involved). I've been looking at the posture conditions in a lab, but not seeing how you can use the UDID in it.

To clarify, the UDID has to be added in AD itself, then ISE picks it up as an AD attribute. Is that correct?

Re: ISE Authz for AC 4.7 UDID

Marcelo Morais — Wed, 14 Jul 2021 18:15:04 GMT

Hi @toyip ,

that's correct. UDID has to be added in AD itself.

Note: just like adding a IP Telephone Number on the AD (for example: using the ipPhone attribute)

Regards.