cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
647
Views
0
Helpful
3
Replies

Dynamic Authorization policy based on groups pulled from odbc

Hello.

There is a need that specific end clients can connect/authenticate(EAP-TLS) on RADIUS via specific NAS/Authenticators.

It can be a 1:1(One end client allowed through a specific NAS only) or 1:Many(One end client allowed through multiple NAS) relationship. These relationships can change and are dynamic.

Able to get the dynamic 1:1 scenario done using odbc "Fetch attributes". (A table with two columns : Common name from EAP-TLS certificate| serial number of allowed NAS) i.e. (cn|router)

The RADIUS request has the NAS serial number in the NAS identifier field and so an authorization policy as below works.

adityaprakashdash_0-1719943863449.png

authdetails is the name of the odbc connection in ISE and router is the column with the  NAS serial number.

However, can't this to work for the 1:Many case where groups need to be involved. (Fetch groups in ODBC)

Three backend tables: One with the list of devices(Common names from cert), One with the groups (list of NAS serial number), One with group relationship(device -> NAS serial number linkage).

An authorization policy like below does not work. I can see in debug logs, the groups a device is in are fetched successfully.

adityaprakashdash_1-1719944741441.png

Update:

This works only if I fetch the groups in the "ODBC Identity Source" and they are populated in the list of allowed values.

adityaprakashdash_0-1719946837535.png

  1. Can't ISE just take the value in the NAS-Identifier field and check if it is in the list of fetched groups during the actual authentication. (Because it does fetch the list of groups during the authentication attempt).
    • Essentially for a group based check, can't ISE compare the value/text in the authorization policy against the list of group names fetched during authentication from the odbc. (Why does it also require list of all the valid/allowed group names predefined?)
  2. If the above is not possible, Is there a way to keep this allowed list up to date programmatically.

Any inputs appreciated.

 

3 Replies 3

Updated the original question with the new data.

thomas
Cisco Employee
Cisco Employee

Your methodology sounds correct. If the 'in' operator is not working, try 'contains' since the value returned may be treated as a string.

Consider looking at any of the docs under https://cs.co/ise-berg#odbc for similar situations and solutions.

Thanks for the reply @thomas 
In operator does work.(I updated the original question).

But it works only if I fetch the groups in the "ODBC Identity Source" and they are populated in the list of allowed values.

So, essentially there are two checks that is being done by the Authorization policy:

- if the name(In this case the NAS-Identifier) is in the list of fetched groups(A list of NAS-Identifiers).

- Second, if the name is in the list of valid group names or not.(The allowed list).

So, query now is:

- Isn't the first check itself sufficient?

- Is there a way to bypass the second check. (As that does not add value in this situation)

- If the second check has to happen, then what are the programmable ways to keep the allowed values up to date.