topic Re: Send User-Name back to NAD in Network Access Control

Send User-Name back to NAD

Ricardo T Duarte — Wed, 24 Oct 2018 09:22:03 GMT

Hi there,

As far as I know, most NADs (ex.: WLC, Catalysts) accept the "User-Name" back from the RADIUS server.

I'm currently using this, with my current in-house built RADIUS, to send the real user to the WLC when doing MAB.

So, a user registers it's device by MAC, the NAD makes the request using MAC address but get's back the real name. So, when I go to the WLC page I can see the real user, not the mac.

Unfortunately ISE seems to set the User-Name as Input only (Direction = IN), so I can't send it back on Access-Accept, and as far as I can see I can't edit the dictionary entry because it's a default one.

How can I overcome this problem?

Thanks

Re: Send User-Name back to NAD

Arne Bier — Wed, 24 Oct 2018 10:20:34 GMT

@Ricardo T Duarte - amen brother! that's the feature I've also been looking for and waitng for in ISE 2.4 but it never made it. It's such a trivial request too. Any radius server should be able to do this. Lack of this feature is also causing me pain with my MAB Remember Me call flows.

I was doing exactly the same thing with Cisco Acces Registrar (but there I had the power of tcl scripting to add almost unlimited features to the product - attribute manpulation was the most important and most powerful feature of this product - no need to wait for a BU to "introduce new features"!!!). One of my wishes for ISE is that they open the product up to allow scripting points. So that we can interact at various points of the packet processing. Imagine what we could do with this product!

if you can add your weight to the discussion then that would be amazing. I think Cisco prefers you send product enhancements via the ISE tool itself ("Feedack" in the Help page) - but not sure where that lands up.

Re: Send User-Name back to NAD

Jason Kunst — Wed, 24 Oct 2018 10:26:25 GMT

Agree also see https://community.cisco.com/t5/security-documents/ise-2-3-remember-me-guest-using-guest-endpoint-group-logging/ta-p/3641150

There is a defect there about sending username. Please provide this in your feedback

Re: Send User-Name back to NAD

Ricardo T Duarte — Wed, 24 Oct 2018 10:57:44 GMT

How hard can it be for Cisco to go to the dictionary and set the direction to "BOTH"...

I miss ClearPass. It allowed me to build my responses combining multiple attributes, that could come from multiple sources.

Re: Send User-Name back to NAD

Arne Bier — Wed, 24 Oct 2018 11:02:24 GMT

@Ricardo T Duarte - let's say Cisco made it direction = BOTH - what would you do next? I am interested to know what your approach would be.

cheers

Re: Send User-Name back to NAD

Ricardo T Duarte — Wed, 24 Oct 2018 11:28:07 GMT

Scenario 1 - ISE standalone

Advanced Attributes

\ User-Name = PortalUser

would prefer not to have @domain on the PortalUser, but that would already be something.

Scenario 2 - External Database

I also have my own external mysql database that has MAC addresses and UserNames that registered them

Advanced Attributes

\ User-Name = Username (from External DB)

Scenario 3 - Passive Id

Advanced Attributes

\ User-Name = Username (from Passive Id)

I'm assuming ISE does expand those values to their values, and will not put a "Username" word there.

I would also then use this to update my firewall IP-to-User mapping, by using a accounting proxy in-between ISE and NAD.

Currently I have to rely on a in-house built pxgrid solution that subscribe for session info and then get's the username.

Re: Send User-Name back to NAD

Arne Bier — Wed, 24 Oct 2018 11:22:21 GMT

oh that's brilliant! Thanks you've just taught me something new in ISE. I guess in hindsight it's quite obvious, but I never thought of trying to overwrite the User-Name (not that I could, because it's IN only). But there're a lot of other dictionary attributes that can be utilised there - might be something I need to keep in mind.

thanks for that useful pointer.

Re: Send User-Name back to NAD

Ricardo T Duarte — Wed, 24 Oct 2018 11:26:16 GMT

I didn't try to see if ISE does substitute the variable name with it's value, under advanced attributes.

I'm assuming it does, given that it allows me to select the available attributes from a list.

If it doesn't, then, the problem is worst than I thought. Another feature request.

Re: Send User-Name back to NAD

Jason Kunst — Wed, 24 Oct 2018 11:43:25 GMT

Great feedback send to PMs

Re: Send User-Name back to NAD

Ricardo T Duarte — Wed, 24 Oct 2018 11:56:33 GMT

Ok,

Made a quick test, and ISE just puts the text there.

It does not expand the variables.

Example:

I put a advanced attribute there, and selected the value as EndPoints:LogicalProfile.

The response shows the text "EndPoints:LogicalProfile" and not the real value.

Re: Send User-Name back to NAD

howon — Wed, 24 Oct 2018 20:22:06 GMT

If anyone happen to create a TAC SR regarding this, make sure to attach it to the following defect:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm77990/ (Certain RADIUS attribute direction is not RFC2865 compliant)

Re: Send User-Name back to NAD

klecompte — Tue, 16 Jul 2019 19:15:21 GMT

Why is this marked Solved! This isn't solved at all. I can't understand how this product has made it this far without this very simple and RFC required feature. This is one of the first features I enabled with FreeRADIUS and it was simple, powerful and straight forward. This is just sad.

Re: Send User-Name back to NAD

Jason Kunst — Tue, 16 Jul 2019 20:03:33 GMT

This is marked as solved because technically it can't be done and is a feature request. please reach out to our PMs with your customer info at http://cs.co/ise-feedback and attach to the defects under this posting https://community.cisco.com/t5/security-documents/ise-2-3-remember-me-guest-using-guest-endpoint-group-logging/ta-p/3641150
CSCvh04231 & CSCva66612 Enhancement for future, please reach out to our Product Managers via - http://cs.co/ise-feedback Guest remember me radius accounting and access accept not sending guest username