https://community.cisco.com/t5/network-access-control/using-cisco-av-pair-value-in-an-authorization-rule-to-match-ad/m-p/5305518#M597092 <P>For cert CPN auth, check out <A href="https://labminutes.com/sec0406_firepower_anyconnect_vpn_certificate_authentication_windows_1" target="_self">Labminutes SEC0406</A> and onwards for step by step - as always, Metha does an awesome job.</P> <P>I think ISE Policy Set has its limitations and you're trying to compare two variables on either side of the MATCHES operator - sadly to my knowledge, you can't do that. I'm still waiting for the LUA language addition to ISE to allow us to do crazy cool things like this. When I did work for a telco many years ago we used Cisco Access Registrar (Cisco's SP RADIUS server) and we could easily code and manipulate RADIUS attributes at various stages of the flow. ISE has a very narrow use case only, and the GUI method is good for most typical enterprise u-secases.&nbsp; If you look at FreeRadius, you can do a lot of cool crazy stuff too.</P> Thu, 03 Jul 2025 20:43:15 GMT Arne Bier 2025-07-03T20:43:15Z https://community.cisco.com/t5/network-access-control/using-cisco-av-pair-value-in-an-authorization-rule-to-match-ad/m-p/5300707#M596839 <P>Within the list of a Remote VPN Radius session attributes, there are a few Cisco:AV-pair entries:</P> <P>CiscoAVPair</P> <P>mdm-tlv=device-platform=win,<BR />mdm-tlv=computer-name=V000011111,<BR />mdm-tlv=device-platform-version=10.0.26100 ,<BR />mdm-tlv=ac-user-agent=AnyConnect Windows 5.1.7.80,</P> <P>The goal is to check if the "mdm-tlv=computer-name=V000011111" value matches or contains to a particular AD Computer-Name OU Group.</P> <P>Is there a way to create this Cisco:AV-pair value in System Dictionary to use in a authorization rule to match/contains/equal to a Active Directory Computer Group?</P> <P>&nbsp;</P> <P>Thanks</P> <P>Philip</P> Thu, 19 Jun 2025 09:49:28 GMT https://community.cisco.com/t5/network-access-control/using-cisco-av-pair-value-in-an-authorization-rule-to-match-ad/m-p/5300707#M596839 pviljoen 2025-06-19T09:49:28Z https://community.cisco.com/t5/network-access-control/using-cisco-av-pair-value-in-an-authorization-rule-to-match-ad/m-p/5300931#M596853 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1744935">@pviljoen</a>&nbsp;</P> <P>The cisco-av-pair already exists in the ISE RADIUS Dictionary under Vendor ID 9 (Cisco) and the sub-ID for this AVPair is ID 1.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ArneBier_0-1750368537434.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/246784i634D5FA5D7FEEA33/image-size/large?v=v2&amp;px=999" role="button" title="ArneBier_0-1750368537434.png" alt="ArneBier_0-1750368537434.png" /></span></P> <P>This attribute is a String, which means it will accept values such as "<SPAN>mdm-tlv=computer-name=V000011111"</SPAN></P> <P><SPAN>I don't believe you need to create any new dictionary items. And also, all the parameters in a dictionary are static values - there is no run-time assignments or bindings that take place. I think in yet to be released ISE versions, there was talk of adding a scripting language to ISE (LUA) that would allow us to manipulate the inputs and outputs (as done in FreeRADIUS, and Cisco's own carrier grade RADIUS platform Access Registrar) - that opens up almost limitless possibilities.</SPAN></P> <P>Not sure what kind of matching you're after, and perhaps you have to create a few of these regular expressions, but you can do this (I just made up some arbitrary matching logic) - the Policy Set Authorization below will run these rules against the currently authenticated endpoint:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ArneBier_2-1750369107492.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/246786i44AAEDA6D6B22D76/image-size/large?v=v2&amp;px=999" role="button" title="ArneBier_2-1750369107492.png" alt="ArneBier_2-1750369107492.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 19 Jun 2025 21:43:32 GMT https://community.cisco.com/t5/network-access-control/using-cisco-av-pair-value-in-an-authorization-rule-to-match-ad/m-p/5300931#M596853 Arne Bier 2025-06-19T21:43:32Z https://community.cisco.com/t5/network-access-control/using-cisco-av-pair-value-in-an-authorization-rule-to-match-ad/m-p/5305144#M597071 <P>Hi Arne,</P> <P>Thank you for your effort to assist.</P> <P>What you show and explain is what I also manage to get working, problem is this is a Telco, so the amount of Computer names can't be match manually/statically - I need to match it to a AD Computer Group.</P> <P>What I am trying to get right is to match that Hostname/ComputerName inside the&nbsp;Cisco av-pair with the format: attribute_name CiscoSecure-Group-Id&nbsp; mdm-tlv=computer-name= --&gt; value "V00001111" with a Active Directory group - Computer names. Reason customer do User authentication(MS-Chap-v2) with LDAP(E-Directory) and MFA (NETIQ - TOTP) and F5 setup as Radius Token server - so no other machine/Computer name values get send inside the session to match with the Computer Groups, only user name values.</P> <P>I was hoping I could enable TEAP on Secure Client using the profile editor tools, the NAM module only support Wired and WiFi on what I can see inside the settings. No Cisco Remote VPN - FTD - Secure Client support to enable it.</P> <P>Trying also to find a step-by-step guide to enable Certificate + AAA and hopefully do Computer Authentication with certs on the Remote VPN - FTD and then AAA and then link it to a computer group in AD. This document is the closest I get.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/firepower_threat_defense_remote_access_vpns.pdf" target="_blank">Remote Access VPNs for Firepower Threat Defense</A></P> Thu, 03 Jul 2025 08:30:31 GMT https://community.cisco.com/t5/network-access-control/using-cisco-av-pair-value-in-an-authorization-rule-to-match-ad/m-p/5305144#M597071 pviljoen 2025-07-03T08:30:31Z https://community.cisco.com/t5/network-access-control/using-cisco-av-pair-value-in-an-authorization-rule-to-match-ad/m-p/5305518#M597092 <P>For cert CPN auth, check out <A href="https://labminutes.com/sec0406_firepower_anyconnect_vpn_certificate_authentication_windows_1" target="_self">Labminutes SEC0406</A> and onwards for step by step - as always, Metha does an awesome job.</P> <P>I think ISE Policy Set has its limitations and you're trying to compare two variables on either side of the MATCHES operator - sadly to my knowledge, you can't do that. I'm still waiting for the LUA language addition to ISE to allow us to do crazy cool things like this. When I did work for a telco many years ago we used Cisco Access Registrar (Cisco's SP RADIUS server) and we could easily code and manipulate RADIUS attributes at various stages of the flow. ISE has a very narrow use case only, and the GUI method is good for most typical enterprise u-secases.&nbsp; If you look at FreeRadius, you can do a lot of cool crazy stuff too.</P> Thu, 03 Jul 2025 20:43:15 GMT https://community.cisco.com/t5/network-access-control/using-cisco-av-pair-value-in-an-authorization-rule-to-match-ad/m-p/5305518#M597092 Arne Bier 2025-07-03T20:43:15Z https://community.cisco.com/t5/network-access-control/using-cisco-av-pair-value-in-an-authorization-rule-to-match-ad/m-p/5305635#M597095 <P>Thanks for the info, must say Labminutes is also my goto guide and agree Metha does an awesome job!!</P> <P>&nbsp;</P> <P>Thanks for sharing your knowledge, much appreciated.</P> <P>&nbsp;</P> Fri, 04 Jul 2025 06:40:11 GMT https://community.cisco.com/t5/network-access-control/using-cisco-av-pair-value-in-an-authorization-rule-to-match-ad/m-p/5305635#M597095 pviljoen 2025-07-04T06:40:11Z