cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

753
Views
10
Helpful
6
Replies
Highlighted
VIP Advocate

Dynamic Variable for VLANs Based on Network Device

I am trying to get a dynamic variable to work using information under the network device.  I can't seem to find a combination that works.  I know how to manually set a VLAN assignment using RADIUS custom attributes (Tunnel Private Group ID, Medium Type and Tunnel Type).  I am trying to use a dynamic variable mapping in the Tunnel Private Group ID as has been well documented using AD/LDAP attributes, but I am trying to use something under the network device.

 

I tried created an NDG called Data_VLAN and then put the different VLAN #s under that.  That didn't work but I suspect that the variable is passing back the full path to the object not just the end value.  Next I tried the model type value which is free form text.  I set it to 20 and referenced that in the dynamic variable and it still didn't work.  In the live log details it doesn't show ISE even trying to pass any of the 3 values, almost like it errors out on the dynamic variable. 

 

If I change the dynamic variable to hard code the value to 20 it works just fine.  So I know my syntax is correct under the authorization profile.  I just can't find a dynamic variable under a network device that works.  Any thoughts?  Yes I know I can use VLAN groups, pass VLAN names and numbers, but the customer doesn't have standard VLAN names or numbers and we don't want to touch the switches at all. 

 

Thanks.

6 REPLIES 6
Highlighted
Collaborator

It is probably because the network device information that is included in the request is not held or used in the processing of authorization responses.  With AD/LDAP, there is a unique identity and all of its attributes/groups are queried for the purposes of authorization.  There is no need for ISE to query NDG or network device attributes.  Hard to explain.

Sounds like your only option may be to use different policy sets or authorization rules based on the NDG and return specific values.

Highlighted

Colby that is what I was afraid of.  Do you know for sure that is true or are you just guessing?

Highlighted

That is just my best educated guess.  Can someone from the BU confirm?

Highlighted

If using NDG, it will send the whole path of NDG, which is the problem. So we addressed this by allowing NDG description to hold the VLAN ID or VLAN Name instead which should work with ISE 2.3p7, 2.4p10, 2.6p3, and 2.7.

Highlighted

Ahh thank you.  I will try that.  Any reason why the model type field doesn't work?  It shows as just the value when we look at the log record details. 

Highlighted
Cisco Employee

Just because the attribute is select-able on the right hand side of the value pair doesn't mean it is supported. Each attribute we introduce  to be available for dynamic matching whether it is for condition or AuthZ profile has cost to the system so not all of them are exposed.