05-31-2018 05:11 PM
The customer has a setup where they are retrieving specific AD attributes for a user during an authentication session and reports on ISE are then sent to a syslog server where these attributes are parsed.
In the ACS production environment, when a device authenticates to the system, the AD lookup brings back the user information, along with any of the groups and AD attributes that have been defined under the Join point. Due to that, the syslog output contains all of those attributes automatically. The billing team then runs a Parser against the syslog and is able to look for those AD attributes.
However, in the ISE testing we noticed that by default, no attributes were automatically being brought back during the authentication session, no matter if it was a MAB or Dot1x session. If we physically inserted attribute conditions within the authorization policy, the attributes and their values would appear in the ISE local logs and the syslog output.
So only if the attributes were defined as a condition in the authorization policy we would see ISE retrieving those attributes for that user.
I am inclined to think this is by design, however was not able to find this documented anywhere. Can you confirm this please?
Thanks,
Malavika
Solved! Go to Solution.
06-01-2018 08:44 AM
It is documented in the ACS to ISE migration guide, Page 21.
How to Migrate ACS 5.x to ISE 2.x
- Krish
05-31-2018 08:59 PM
That is correct. ACS 5.x uses ID store sequence to determine the ID stores to retrieve attributes whereas ISE uses authorization policy rules and profiles.
06-01-2018 08:44 AM
It is documented in the ACS to ISE migration guide, Page 21.
How to Migrate ACS 5.x to ISE 2.x
- Krish
06-01-2018 11:14 AM
Thank you for confirming, krishnamurthy!
06-01-2018 11:14 AM
Thanks for confirming, Hsing!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide