Solved: Re: Cisco ISE Radius Vendor-Specific Attributes (VSA) ID cut

Mathias Guillemot · ‎05-31-2024

Hello,

I'm trying to use this Vendor-Specific Attributes dictionary in ISE:

VENDOR	Alcatel-ESAM	637
BEGIN-VENDOR	Alcatel-ESAM
ATTRIBUTE	Nokia-AMS-Description	1	string	BOTH	#Attribute Nokia-AMS-Description
ATTRIBUTE	Nokia-AMS-Role	2	string	BOTH	#Attribute Nokia-AMS-Role
ATTRIBUTE	Nokia-AMS-AllowedPapGroup	3	string	BOTH	#Attribute Nokia-AMS-AllowedPapGroup
ATTRIBUTE	Nokia-AMS-MaxNumberOfConcurrentSessions	4	string	BOTH	#Attribute Nokia-AMS-MaxNumberOfConcurrentSessions
ATTRIBUTE	Nokia-AMS-LoginMessage	5	string	BOTH	#Attribute Nokia-AMS-LoginMessage
ATTRIBUTE	Nokia-AMS-FilteredIPAddress	6	string	BOTH	#Attribute Nokia-AMS-FilteredIPAddress
ATTRIBUTE	Nokia-AMS-InactivityLogoutTimeout	7	integer	BOTH	#Attribute Nokia-AMS-InactivityLogoutTimeout
ATTRIBUTE	Nokia-AMS-LogoutTimeout	8	integer	BOTH	#Attribute Nokia-AMS-LogoutTimeout
ATTRIBUTE	Nokia-AMS-InactivityLockScreenTimeout	9	integer	BOTH	#Attribute Nokia-AMS-InactivityLockScreenTimeout
ATTRIBUTE	Nokia-AMS-LockScreenTimeout	10	integer	BOTH	#Attribute Nokia-AMS-LockScreenTimeout
ATTRIBUTE	A-ESAM-PoL-QOS-Profile-Name	1696	string	BOTH	#Attribute A-ESAM-PoL-QOS-Profile-Name
ATTRIBUTE	A-ESAM-PoL-Fwd-ID	1697	string	BOTH	#Attribute A-ESAM-PoL-Fwd-ID
ATTRIBUTE	A-ESAM-PoL-Vp-ID	1698	integer	BOTH	#Attribute A-ESAM-PoL-Vp-ID
ATTRIBUTE	A-ESAM-PoL-Client-Type	1699	integer	BOTH	#Attribute A-ESAM-PoL-Client-Type
END-VENDOR	Alcatel-ESAM

But when trying to push the attributes in the Access-Accept the IDs 1696,1697,1698,1699 become 160,161,162,163:

I realize that instead of pushing '06 A3' in hexadecimal, it pushes only 'A3'. That's why 1699 becomes 163.

It sounds like modifying the 'Vendor Attribute Type Field Length' could resolve the issue, but I cannot modify this value when importing a dictionary. This value cannot be set in the imported file, and the value cannot be modified when the dictionary already has values in it:

And from GUI, I cannot create an ID higher then 255:

If anyone could provide some help, would be very helpful

Arne Bier · ‎06-01-2024

Ok - ISE does support this. But you MUST create the Vendor ID from scratch in the GUI.

You tell ISE upfront whether to use 1,2 or 4 byte Type IDs.

Here in ISE 3.2

Navigate to Policy > Policy Elements > Dictionaries > Radius > RADIUS Vendors

Click "+Add"

Once you have done that, you can add the 32bit Attributes

Below is the export from ISE for a quick example definition - only one attribute added, If you import this into ISE (with no current 637 VendorID present) it will work, but the Type Field Length is set to 1 (wrong). I think ISE should be setting that to a "2" since 1698 doesn't fit into one byte.

VENDOR	Alcatel-ESAM	637
BEGIN-VENDOR	Alcatel-ESAM
ATTRIBUTE	E-ESAM-PoL-Vp-ID	1698	integer BOTH
END-VENDOR	Alcatel-ESAM

The attribute will be added as ID 1698. However, I am unsure whether ISE will send a 1-byte or a 2-byte value. I guess you proved that in your own testing - the import works, but since Type is 1 byte, ISE sends only 1 byte. Open a TAC case.

One thing is clear though: in this state (after import) you cannot create 2-byte IDs in the GUI, because the range is 0-255.

Long story short, looks like you have to create these definitions from scratch, and not from an import. And bring this to the attention of the TAC please.

View solution in original post

Arne Bier · ‎05-31-2024

Very curious. I had a look at the RFC2865 and the Vendor ID is 32 bit (upper byte always 0) - that means the Vendor ID looks like it's in the correct range. Type field is defined in that same RFC as being 8 bits (decimal 0-255). So looks like ISE is going by the RFC. Unless the vendor is using an RFC that supersedes RFC2865?

Arne Bier · ‎05-31-2024

I found an entry on the FreeRadius page that states that Alcatel ESAM VSAs are indeed two byte values

I don't understand how this fits in with the RFC definition of a single byte. It appears though, that FreeRadius supports this double byte VSA ID. You might have to open a TAC case to ask how to support this. RADIUS is a very old protocol and although I mentioned the RFC2865, it appears that RFC 6929 added support for Extended Vendor Support - this might be the clue.

# -*- text -*-
# Copyright (C) 2011 The FreeRADIUS Server project and contributors
#
#	Alcatel ESAM's VSAs
#
#

#	The vendor specific attribute type is two bytes, where the
#	first is the project ID and the second is the project specific
#	attribute ID.  The project ID 7 is assigned to 7302 ISAM
#	project.

VENDOR		Alcatel-ESAM			637	format=2,1

BEGIN-VENDOR	Alcatel-ESAM
ATTRIBUTE	A-ESAM-VRF-Name				0x0700	string
ATTRIBUTE	A-ESAM-Vlan-Id				0x0701	integer
ATTRIBUTE	A-ESAM-QOS-Profile-Name		0x0702	string
ATTRIBUTE	A-ESAM-QOS-Params			0x0703	string
ATTRIBUTE	A-ESAM-Termination-Cause		0x0704	integer

Have you tried entering 241 into the ISE RADIUS Dictionary ID Field (which only allows 0-255) ? Perhaps ISE reacts to that and opens the door to allow you to define those larger IDs. Just a random thought (I don't currently have access to ISE to test)

But RFC 6929 seems to hold the answers.

Arne Bier · ‎06-01-2024

Ok - ISE does support this. But you MUST create the Vendor ID from scratch in the GUI.

You tell ISE upfront whether to use 1,2 or 4 byte Type IDs.

Here in ISE 3.2

Navigate to Policy > Policy Elements > Dictionaries > Radius > RADIUS Vendors

Click "+Add"

Once you have done that, you can add the 32bit Attributes

Below is the export from ISE for a quick example definition - only one attribute added, If you import this into ISE (with no current 637 VendorID present) it will work, but the Type Field Length is set to 1 (wrong). I think ISE should be setting that to a "2" since 1698 doesn't fit into one byte.

VENDOR	Alcatel-ESAM	637
BEGIN-VENDOR	Alcatel-ESAM
ATTRIBUTE	E-ESAM-PoL-Vp-ID	1698	integer BOTH
END-VENDOR	Alcatel-ESAM

The attribute will be added as ID 1698. However, I am unsure whether ISE will send a 1-byte or a 2-byte value. I guess you proved that in your own testing - the import works, but since Type is 1 byte, ISE sends only 1 byte. Open a TAC case.

One thing is clear though: in this state (after import) you cannot create 2-byte IDs in the GUI, because the range is 0-255.

Long story short, looks like you have to create these definitions from scratch, and not from an import. And bring this to the attention of the TAC please.

Mathias Guillemot · ‎06-02-2024

Hello Arne,

I just retested this morning, and it is finally working!!!

Unfortunately, I'm not able to open a TAC as I don't have any contract for Cisco ISE since I'm using an evaluation license for interoperability testing purposes. However, I'll try to push the integrator for this project to do it.
Do you have any suggestions for opening a TAC from my side?

I want to say a big thank you for all the valuable information you shared and the time you took to test it on your own Cisco ISE!

Cheers,
Mathias

Arne Bier · ‎06-02-2024

No worries - I learnt something too in the process. Please do me a favour and log this as a TAC case? You'll be handing them all the answers on a silver platter - should be easy enough for them to fix this in the code that is responsible for importing the custom vendor stuff. I have come up with some pseudocode that summarises the situation:

for each Attribute ID value
  if ( value > 255 AND < 65536 ) then Vendor Attribute Field Type Length = 2
  elseif value > 65535 then Vendor Attribute Field Type Length = 4
  else Vendor Attribute Field Type Length = 1