https://community.cisco.com/t5/network-access-control/two-cisco-ise-feature-requests/m-p/3400275#M548363 <P>Hello,</P> <P>I'd like to share a couple of ideas for features I'd like to see in the next versions of ISE: as far as I know, they are not available, but feel free to correct me if I'm wrong!</P> <P>&nbsp;</P> <P>1) Ability to modify Policy Sets via REST API:&nbsp; it is already possible to modify lots of things via API (complete list <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/api_ref_guide/api_ref_book/ise_api_ref_ers1.html" target="_blank">here</A>); however, policy sets cannot be created/modified/deleted via API. This is like having a bathtub full of lego bricks and not being able to play with them!</P> <P>&nbsp;</P> <P>2) Ability to use references to attributes in authorization profiles: that would allow for some pretty neat tricks. Let's suppose, for example, that you want to use the Identity PSK feature of Cisco WLC 8.5; this is a new feature that allows you to set different pre-shared keys for different clients for an SSID using WPA-PSK (see <A href="https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html" target="_blank">here</A> for an overview). However, if I'm not mistaken, you have to write a new authorization rule and a new authorization profile for every different PSK.</P> <P>It would be much better, in my opinion, to simply add an attribute to the Endpoints (let's call it ipsk) and reference it in a single authorization profile.</P> <P>&nbsp;</P> <P>Instead of having multiple authorization profiles like these, each with its own authorization rule...</P> <P>&nbsp;</P> <P>Access Type = ACCESS_ACCEPT<BR />cisco-av-pair = psk-mode=ascii<BR />cisco-av-pair = psk=SharedPassword1</P> <P>&nbsp;</P> <P>Access Type = ACCESS_ACCEPT<BR />cisco-av-pair = psk-mode=ascii<BR />cisco-av-pair = psk=SharedPassword2</P> <P>&nbsp;</P> <P>Access Type = ACCESS_ACCEPT<BR />cisco-av-pair = psk-mode=ascii<BR />cisco-av-pair = psk=SharedPassword3</P> <P>&nbsp;</P> <P>You would have a single authorization profile, with a reference to the attribute and a single authorization rule, referencing the "dynamic" authorization profile.</P> <P>&nbsp;</P> <P><SPAN>Access Type = ACCESS_ACCEPT</SPAN><BR /><SPAN>cisco-av-pair = psk-mode=ascii</SPAN><BR /><SPAN>cisco-av-pair = psk=<U><STRONG>$InternalEndpoint.ipsk</STRONG></U></SPAN></P> <P>&nbsp;</P> <P><SPAN>This feature would not be strictly necessary if we had feature #1, but would still allow for much more compact authorization rules.</SPAN></P> <P><SPAN>The predefined authorization profile Cisco_WebAuth already has something like that:</SPAN></P> <P>&nbsp;</P> <P><SPAN>Access Type = ACCESS_ACCEPT<BR />cisco-av-pair = url-redirect-acl=ACL_WEBAUTH_REDIRECT<BR />cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&amp;portal=404e0f70-2e02-11e8-ba71-005056872c7f&amp;action=cwa</SPAN></P> <P>&nbsp;</P> <P><SPAN>The references ip, port and&nbsp;SessionIdValue are populated at runtime.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Is there some Cisco overlord out there that can tell us if something like this has ever been considered?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Best regards,</SPAN></P> <P><SPAN>Silla</SPAN></P> Fri, 21 Feb 2020 18:58:35 GMT silla 2020-02-21T18:58:35Z https://community.cisco.com/t5/network-access-control/two-cisco-ise-feature-requests/m-p/3400275#M548363 <P>Hello,</P> <P>I'd like to share a couple of ideas for features I'd like to see in the next versions of ISE: as far as I know, they are not available, but feel free to correct me if I'm wrong!</P> <P>&nbsp;</P> <P>1) Ability to modify Policy Sets via REST API:&nbsp; it is already possible to modify lots of things via API (complete list <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/api_ref_guide/api_ref_book/ise_api_ref_ers1.html" target="_blank">here</A>); however, policy sets cannot be created/modified/deleted via API. This is like having a bathtub full of lego bricks and not being able to play with them!</P> <P>&nbsp;</P> <P>2) Ability to use references to attributes in authorization profiles: that would allow for some pretty neat tricks. Let's suppose, for example, that you want to use the Identity PSK feature of Cisco WLC 8.5; this is a new feature that allows you to set different pre-shared keys for different clients for an SSID using WPA-PSK (see <A href="https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html" target="_blank">here</A> for an overview). However, if I'm not mistaken, you have to write a new authorization rule and a new authorization profile for every different PSK.</P> <P>It would be much better, in my opinion, to simply add an attribute to the Endpoints (let's call it ipsk) and reference it in a single authorization profile.</P> <P>&nbsp;</P> <P>Instead of having multiple authorization profiles like these, each with its own authorization rule...</P> <P>&nbsp;</P> <P>Access Type = ACCESS_ACCEPT<BR />cisco-av-pair = psk-mode=ascii<BR />cisco-av-pair = psk=SharedPassword1</P> <P>&nbsp;</P> <P>Access Type = ACCESS_ACCEPT<BR />cisco-av-pair = psk-mode=ascii<BR />cisco-av-pair = psk=SharedPassword2</P> <P>&nbsp;</P> <P>Access Type = ACCESS_ACCEPT<BR />cisco-av-pair = psk-mode=ascii<BR />cisco-av-pair = psk=SharedPassword3</P> <P>&nbsp;</P> <P>You would have a single authorization profile, with a reference to the attribute and a single authorization rule, referencing the "dynamic" authorization profile.</P> <P>&nbsp;</P> <P><SPAN>Access Type = ACCESS_ACCEPT</SPAN><BR /><SPAN>cisco-av-pair = psk-mode=ascii</SPAN><BR /><SPAN>cisco-av-pair = psk=<U><STRONG>$InternalEndpoint.ipsk</STRONG></U></SPAN></P> <P>&nbsp;</P> <P><SPAN>This feature would not be strictly necessary if we had feature #1, but would still allow for much more compact authorization rules.</SPAN></P> <P><SPAN>The predefined authorization profile Cisco_WebAuth already has something like that:</SPAN></P> <P>&nbsp;</P> <P><SPAN>Access Type = ACCESS_ACCEPT<BR />cisco-av-pair = url-redirect-acl=ACL_WEBAUTH_REDIRECT<BR />cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&amp;portal=404e0f70-2e02-11e8-ba71-005056872c7f&amp;action=cwa</SPAN></P> <P>&nbsp;</P> <P><SPAN>The references ip, port and&nbsp;SessionIdValue are populated at runtime.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Is there some Cisco overlord out there that can tell us if something like this has ever been considered?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Best regards,</SPAN></P> <P><SPAN>Silla</SPAN></P> Fri, 21 Feb 2020 18:58:35 GMT https://community.cisco.com/t5/network-access-control/two-cisco-ise-feature-requests/m-p/3400275#M548363 silla 2020-02-21T18:58:35Z https://community.cisco.com/t5/network-access-control/two-cisco-ise-feature-requests/m-p/3400300#M548365 <P><FONT size="3" face="arial,helvetica,sans-serif">Hi,</FONT></P> <P><FONT size="3" face="arial,helvetica,sans-serif">You might have better luck reaching out to Cisco <A href="https://communities.cisco.com/community/technology/security/pa/ise/content?filterID=contentstatus[published]~objecttype~objecttype[thread]" target="_self">here</A>.</FONT></P> <P>&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;"><FONT size="3" face="arial,helvetica,sans-serif">In regard to your scenario you mentioned, I previously labbed a similar scenario for management of FlexVPN PSK, normally I'd have created a unique Authorization Profile per VPN peer which can become very tedious. What you can do is create a User Custom Attribute e.g VPN-PSK, then create an Internal ISE user, fill in the string value as your PSK in the custom attribute field VPN-PSK. Create 1 Authorization Profile and define an advanced attribute setting:- Radius:Tunnel-Password = InternalUser:VPN-PSK. You would then use this Authorization Profile in a rule and it would query the defined in the VPN-PSK field under the user/vpn peer being authorized.<BR /></FONT></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;"><FONT size="3" face="arial,helvetica,sans-serif">This may be helpful to you.</FONT></P> Fri, 15 Jun 2018 16:00:26 GMT https://community.cisco.com/t5/network-access-control/two-cisco-ise-feature-requests/m-p/3400300#M548365 Rob Ingram 2018-06-15T16:00:26Z https://community.cisco.com/t5/network-access-control/two-cisco-ise-feature-requests/m-p/3400312#M548366 <P>Hello,</P> <P>thank you very much for your answer!</P> <P>&nbsp;</P> <BLOCKQUOTE> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <HR /><FONT face="arial,helvetica,sans-serif" size="3">What you can do is create a User Custom Attribute e.g VPN-PSK, then create an Internal ISE user, fill in the string value as your PSK in the custom attribute field VPN-PSK. Create 1 Authorization Profile and define an advanced attribute setting:- Radius:Tunnel-Password = InternalUser:VPN-PSK. You would then use this Authorization Profile in a rule and it would query the defined in the VPN-PSK field under the user/vpn peer being authorized.<BR /></FONT></BLOCKQUOTE> <P>I've tried doing something very similar using a custom attribute for an endpoint, instead of a user, but I couldn't get it to work. But if it works in your case, maybe I can get it to work in mine!<BR /><BR /></P> <P>Best regards,</P> <P>Silla Rizzoli</P> Fri, 15 Jun 2018 16:29:40 GMT https://community.cisco.com/t5/network-access-control/two-cisco-ise-feature-requests/m-p/3400312#M548366 silla 2018-06-15T16:29:40Z https://community.cisco.com/t5/network-access-control/two-cisco-ise-feature-requests/m-p/3404123#M548367 <P>I got it to work in my case too! So I guess we already have feature #1, so #2 is not strictly needed...</P> <P>&nbsp;</P> <P>Ciao!</P> Fri, 22 Jun 2018 17:03:37 GMT https://community.cisco.com/t5/network-access-control/two-cisco-ise-feature-requests/m-p/3404123#M548367 silla 2018-06-22T17:03:37Z https://community.cisco.com/t5/network-access-control/two-cisco-ise-feature-requests/m-p/3769451#M548368 <P>I think this will help you</P> <P>&nbsp;</P> <P><A href="https://community.cisco.com/t5/security-documents/cisco-ise-amp-wlc-wpa2-psk-wlan-per-device-passphrase-ipsk/ta-p/3644425" target="_blank">https://community.cisco.com/t5/security-documents/cisco-ise-amp-wlc-wpa2-psk-wlan-per-device-passphrase-ipsk/ta-p/3644425</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Greetings</P> <P>Philip</P> <P>&nbsp;</P> Thu, 27 Dec 2018 11:52:51 GMT https://community.cisco.com/t5/network-access-control/two-cisco-ise-feature-requests/m-p/3769451#M548368 Philip91 2018-12-27T11:52:51Z