topic Re: ISE policy in Network Access Control

ISE policy

Spyros Kasapis — Mon, 20 Apr 2020 20:09:25 GMT

Hello ,

is there a way to create a policy based on DestinationPort radius attribute ? (1812 or 1645)

Thanks in advanced .

Spyros

Re: ISE policy

Mike.Cifelli — Tue, 21 Apr 2020 00:16:50 GMT

Take a look at this link:
https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253#toc-hId-1189009796
You may be able to utilize the NAS-Port attribute to meet your needs. HTH!

Re: ISE policy

Greg Gibbs — Tue, 21 Apr 2020 01:12:32 GMT

I don't believe it is possible to create policy based on that value. There is no such attribute in the RADIUS RFC2865 and there are no Cisco-specific attributes that include this info in the supported ISE Network Access Attributes.

If you're wanting to create different policies based upon the Network Device initiating the RADIUS request, the common approach is to create Network Device Groups and use those as conditions in your policies.

Re: ISE policy

Spyros Kasapis — Tue, 21 Apr 2020 07:21:19 GMT

Thank you for your quick reply ,

Greg you are right there is no such attribute in RFC .

I saw it in ISE in Authentication details (other attributes) that's why i am asking.

I want to create a policy for requests coming from the same device , (an ASA) with two authentication methods (primary,secondary).

The primary authentication should match the first policy and the secondary the other .

Re: ISE policy

Spyros Kasapis — Tue, 21 Apr 2020 13:14:21 GMT

We found a solution

In ASA we make the requests from different ip addresses (interfaces).

In ISE the policy matches with the NAS IPv4 Address which is different .