https://community.cisco.com/t5/network-access-control/dynamic-variable-matching-identity-group-description/m-p/3697060#M494606 <P>In my installs I always allow for a whitelist called Remedate_Later that we put MAC addresses into that we can't easily figure out.&nbsp; This allows us to move out of Monitor mode quicker.&nbsp; On a larger install I want to lock the Remediate_Later concept down to sites, but I don't want to create all the corresponding MAB rules.&nbsp; I am trying to get dynamic variable matching to work.</P> <P>&nbsp;</P> <P>So I have endpoint identity groups configured as Remediate_Later_&lt;Site Name&gt; and I put the site code in the description field, i.e. Site1.&nbsp; All the network devices names at the site start with Site1.</P> <P>&nbsp;</P> <P>In my dynamic variable match I say:</P> <P>&nbsp;</P> <P>Network Access:network device name starts with Identity Group:description</P> <P>&nbsp;</P> <P>I can make that condition but it doesn't seem to work.&nbsp; I can see in the step data that the PIPs are being queried.&nbsp; I can't use other fields like device location or identity group name because they contain the full path the object, i.e. Identity Groups:Whitelists:Remediate_Later:Remedidate_Later_&lt;Site Name&gt; or All Locations#&lt;Site Name&gt;.</P> <P>&nbsp;</P> <P>I was hoping the description field would be coded straight up as the string I put in.&nbsp; Should this work?&nbsp; I am guessing no one in Dev ever thought of this use case.</P> <P>&nbsp;</P> <P>Any other ideas to accomplish without righting 100s of MAB rules.</P> Wed, 29 Aug 2018 15:00:52 GMT paul 2018-08-29T15:00:52Z https://community.cisco.com/t5/network-access-control/dynamic-variable-matching-identity-group-description/m-p/3697060#M494606 <P>In my installs I always allow for a whitelist called Remedate_Later that we put MAC addresses into that we can't easily figure out.&nbsp; This allows us to move out of Monitor mode quicker.&nbsp; On a larger install I want to lock the Remediate_Later concept down to sites, but I don't want to create all the corresponding MAB rules.&nbsp; I am trying to get dynamic variable matching to work.</P> <P>&nbsp;</P> <P>So I have endpoint identity groups configured as Remediate_Later_&lt;Site Name&gt; and I put the site code in the description field, i.e. Site1.&nbsp; All the network devices names at the site start with Site1.</P> <P>&nbsp;</P> <P>In my dynamic variable match I say:</P> <P>&nbsp;</P> <P>Network Access:network device name starts with Identity Group:description</P> <P>&nbsp;</P> <P>I can make that condition but it doesn't seem to work.&nbsp; I can see in the step data that the PIPs are being queried.&nbsp; I can't use other fields like device location or identity group name because they contain the full path the object, i.e. Identity Groups:Whitelists:Remediate_Later:Remedidate_Later_&lt;Site Name&gt; or All Locations#&lt;Site Name&gt;.</P> <P>&nbsp;</P> <P>I was hoping the description field would be coded straight up as the string I put in.&nbsp; Should this work?&nbsp; I am guessing no one in Dev ever thought of this use case.</P> <P>&nbsp;</P> <P>Any other ideas to accomplish without righting 100s of MAB rules.</P> Wed, 29 Aug 2018 15:00:52 GMT https://community.cisco.com/t5/network-access-control/dynamic-variable-matching-identity-group-description/m-p/3697060#M494606 paul 2018-08-29T15:00:52Z https://community.cisco.com/t5/network-access-control/dynamic-variable-matching-identity-group-description/m-p/3699230#M494607 <P>Identity Group:description does not appear fetching its value at all.</P> <P>Instead,&nbsp;it's working ok with an endpoint attribute:</P> <P>&nbsp;</P> <P>Network Access·NetworkDeviceName Starts With&nbsp;EndPoints·assetTag</P> <P>&nbsp;</P> Sat, 01 Sep 2018 21:30:04 GMT https://community.cisco.com/t5/network-access-control/dynamic-variable-matching-identity-group-description/m-p/3699230#M494607 hslai 2018-09-01T21:30:04Z https://community.cisco.com/t5/network-access-control/dynamic-variable-matching-identity-group-description/m-p/3702904#M494608 Hsing,<BR /><BR /><BR /><BR />I just got around to testing this today. I created a custom endpoint attribute called Asset-Location. I then put the location name in that field. I was then able to match "Network Device:Location contains Endpoint:Asset-Location". Thanks for the solution.<BR /><BR /><BR /><BR />Now when I put my endpoints into my whitelist I can lock them into a particular location without having to create a bunch of rules.<BR /><BR /><BR /> Fri, 07 Sep 2018 13:52:34 GMT https://community.cisco.com/t5/network-access-control/dynamic-variable-matching-identity-group-description/m-p/3702904#M494608 paul 2018-09-07T13:52:34Z