Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
2
Replies

Dynamic Variable Matching Identity Group Description

Go to solution
paul
Level 10
Level 10

‎08-29-2018 08:00 AM

In my installs I always allow for a whitelist called Remedate_Later that we put MAC addresses into that we can't easily figure out.  This allows us to move out of Monitor mode quicker.  On a larger install I want to lock the Remediate_Later concept down to sites, but I don't want to create all the corresponding MAB rules.  I am trying to get dynamic variable matching to work.

 

So I have endpoint identity groups configured as Remediate_Later_<Site Name> and I put the site code in the description field, i.e. Site1.  All the network devices names at the site start with Site1.

 

In my dynamic variable match I say:

 

Network Access:network device name starts with Identity Group:description

 

I can make that condition but it doesn't seem to work.  I can see in the step data that the PIPs are being queried.  I can't use other fields like device location or identity group name because they contain the full path the object, i.e. Identity Groups:Whitelists:Remediate_Later:Remedidate_Later_<Site Name> or All Locations#<Site Name>.

 

I was hoping the description field would be coded straight up as the string I put in.  Should this work?  I am guessing no one in Dev ever thought of this use case.

 

Any other ideas to accomplish without righting 100s of MAB rules.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-01-2018 02:30 PM

Identity Group:description does not appear fetching its value at all.

Instead, it's working ok with an endpoint attribute:

 

Network Access·NetworkDeviceName Starts With EndPoints·assetTag

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-01-2018 02:30 PM

Identity Group:description does not appear fetching its value at all.

Instead, it's working ok with an endpoint attribute:

 

Network Access·NetworkDeviceName Starts With EndPoints·assetTag

 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to hslai

‎09-07-2018 06:52 AM

Hsing,



I just got around to testing this today. I created a custom endpoint attribute called Asset-Location. I then put the location name in that field. I was then able to match "Network Device:Location contains Endpoint:Asset-Location". Thanks for the solution.



Now when I put my endpoints into my whitelist I can lock them into a particular location without having to create a bunch of rules.


0 Helpful
Customers Also Viewed These Support Documents