cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

197
Views
5
Helpful
1
Replies
Highlighted
Beginner

Authorization Profile Attr 25 Group_Name

Hey all,

I am trying to finalize my ISE Checkpoint Radius connection for VPN Authentication. Only problem I have, in authorization process, I want ISE to send first Group of user (I am authenticating internally) to checkpoint as attr 25. 

However ISE sends "User Identity Group:Group_Name" which checkpoint does not understand prefix. I need class 25 attribute as only Group_Name to be delivered to checkpoint. Can I twick ISE to do that by creating new attribute in dictionary maybe?

Thanks in advance!

PS:. I know I can create several Profiles with manually added Group names and create Policies based on OU but I want it to be one policy where first group name will be delivered automatically but without prefix.

 

Everyone's tags (4)
1 REPLY 1
Highlighted
VIP Advocate

Re: Authorization Profile Attr 25 Group_Name

Hi @OrkhanRustamli 

 

There is no way to manipulate the RADIUS Attribute strings in the Authorization profile. E.g. if you wanted to strip/add some text to an attribute :-( - this should be a standard feature of any RADIUS server - but ISE is very prescriptive in this regard.

 

You wanted to map only the Identity Group name to the RADIUS Class attribute - ISE has a Common Task for that called "ASA-VPN" - it automatically brings up the drop down list - and if you choose Identity Group Name, then ISE still prefixes the Group Name with the string "User Identity Groups:" - is there any feature in the Checkpoint that allows you to match on a regex?