topic Re: Can ISE change a port description? in Network Access Control

Can ISE change a port description?

Dan — Fri, 21 Feb 2020 18:56:21 GMT

Is it possible for ISE to rename a port after a device has successfully finished a dot1x authentication? I'd like to be able to pull the hostname of the device and put it on the port description and then have it change back to a generic port description when a device hasn't authenticated. How would I go about doing this? I assume i'm going to have to do something with EPM to pull the hostname from somewhere?

I've seen rm-port-description on our 2960Xs radius attributes but don't see the same option on ISE on the authorization results.

Thanks

Re: Can ISE change a port description?

Bogdan Nita — Fri, 18 May 2018 12:52:35 GMT

I do not think the ISE can configure the description on the switch, but it should be able to send the hostname using aaa:supplicant-name AV-Pairs attribute.

Then you would need to have some sort of script in place to monitor the interface, grab the supplicant-name (trickiest thing) and write it as description.

I found this macro in the following post, but it does not seem to work:

https://supportforums.cisco.com/t5/aaa-identity-and-nac/using-av-pairs-to-add-a-description-to-a-port-based-on-the/td-p/2270111

If you want to have the description configure so you can issue show int description and see who is connected to the interface then you may consider using show int users.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz16631/?rfs=iqvred

HTH

Bogdan

Re: Can ISE change a port description?

Dan — Fri, 18 May 2018 13:29:06 GMT

Yes I had seen them but nobody followed up on whether they got it working or not and I'm struggling to find anything else on google.

I would have thought that ISE is capable of doing this. It can already change the VLAN on a port and i'm assuming that it's just sending a 'sw mode access vlan xx' command to the switch?

Don't think I'll be able to use the 'show int users' command as it returns nothing for me. Most likely because we're doing PC authentications only using MSCHAP and not EAP-TLS. I can see the switch learning the hostname of the devices because I can do a 'show auth sess int gi1/0/3' for example and see 'User-Name: host/hostname.domain'.

I haven't seen people using EPM scripts to pull CDP neighbour information and write it to a port description but struggling to figure out where to start to do the same for hostnames from auth sessions.

Re: Can ISE change a port description?

Bogdan Nita — Fri, 18 May 2018 13:48:15 GMT

If you ca use a command to see the hostamane you could use a EEM script like this one (I haven't actually tested it so you might need to adapt it):

event manager applet add_port_descr
event identity interface regexp GigabitEthernet.* authz all athuz-complete
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "interface $_nd_local_intf_name"
action 4.0 cli command "do show auth sess int $_nd_local_intf_name | include User-Name"
action 5.0 cli command "description $_cli_result"

should write a description 'User-Name: host/hostname.domain'

HTH

Bogdan

Re: Can ISE change a port description?

Dan — Fri, 18 May 2018 14:03:26 GMT

Thanks for this. Unfortunately we're using 2960X which as far as I can see don't support the EEM scripting? The only way I can see it working is if we use an auto-smart-port macro.

Re: Can ISE change a port description?

Ethan Campbell — Tue, 25 Nov 2025 14:26:36 GMT

I would love to get this working, but seem to be struggling. Catalyst 9300-24P