topic Re: Using Endpoint Custom Attribute in Authorization Policies in Network Access Control

Using Endpoint Custom Attribute in Authorization Policies

nved — Tue, 24 Oct 2017 13:14:30 GMT

We configuring ISE for MAB authentication using an external MAC Address database that contains a list of MAC Addresses and Endpoint Type (for example Printer, Workstation, HVAC, VOICE). We have created a custom attribute called "CompanyInfo" of the type string, which would be set to Device Type information from the external database.

The value of this custom attribute set to match a IP Phone profile and we defined an authorization policy that compare the Custom Attribute - "CompanyInfo" with "EndPoIntPolicy" as shown below. ISE does not match the first rule defined below.

However, if we compare the "CompanyInfo" with "Cisco-IP-Phone-7970" as shown in the second rule below, we get a match

I am not sure if the right had side of the condition can utilize and EndPointArrtibute such as EndPointPolicy or EndPointLogicalProfile.

I have attached a screen capture from our lab testing.

Re: Using Endpoint Custom Attribute in Authorization Policies

Jason Kunst — Tue, 24 Oct 2017 13:30:50 GMT

Sounds like a bug to me

Re: Using Endpoint Custom Attribute in Authorization Policies

hslai — Tue, 24 Oct 2017 14:26:10 GMT

Which ISE release is this? If not 2.3, please try it with 2.3.

Why are you not using Equals or Contains instead of Matches, although this might not impact your results? The operator Matches is for regex.

For the Cisco IP Phones Profile Match, try swapping RHS and LHS.

Like Jason said, we would suggest to log a bug but please detail the steps and attach debug logs. If TAC case open, please request TAC to do so.

Re: Using Endpoint Custom Attribute in Authorization Policies

nved — Tue, 24 Oct 2017 15:18:17 GMT

We have are running this on ISE 2.2 patch 4, which was the customer has.

Was it not supposed to work on ISE 2.2?

Niten Ved

732 266 8063 – cell (preffered)

732 393 6101 - office

Re: Using Endpoint Custom Attribute in Authorization Policies

hslai — Tue, 24 Oct 2017 15:27:22 GMT

Endpoint custom attributes are available since ISE 2.1 so supported. The reason I asked to try 2.3 is that release uses a new policy engine and might make a difference.

Re: Using Endpoint Custom Attribute in Authorization Policies

Craig Hyps — Wed, 25 Oct 2017 14:01:27 GMT

Niten,

As you know, I provided this proposal to customer which you are now testing on their behalf. Since I have already engaged with this account and providing direct consult, there is no reason to also post to alias. This will only result in more TMEs and SMEs chasing the same issue.

As I responded directly to account team, the use of Custom Attributes in Authorization Policy conditions IS supported. Furthermore, we addressed an issue in ISE 2.2 where Custom Attributes were not exposed to Authorization Profile

CSCvc42525 support of Custom Attribute of Endpoint in Authz Profile

However, the typical scenario would be to match custom attribute (Left-Hand Side, or LHS) to a value (RHS). Same goes for Endpoint Profile Policy where value is selected on RHS via drop-down list of profiles. I suspect this particular combination was not tested by QA.

If not working as expected, then need a bug filed. Let's not duplicate efforts on this account.

Regards,

Craig