cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

497
Views
20
Helpful
8
Replies
Odysseu$
Beginner

How to use Endpoint Custom Attributes to control network access (DACL or VLAN)?

I would like to use an endpoint custom attribute to trigger the network access a device has.  So as an example if I have a device that has a endpoint custom attribute of Display, I would like to use that as a condition to assign a specific DACL or vlan to that device while it is on the network.

 

Can anyone point me in the right direction to get this done?  I have created a results with authorization profiles for each the vlan and one for the dacl but I do not know how to apply them in a policy set.  I would imagine the logic would be if you connected via wired or wireless mab and the device has a custom endpoint attribute assigned where the "custom device type" equals "Display" then either change the vlan or use a downloadable acl to control access for that device.  I just can't figure out how to do that, and I haven't found a resource (video, article, configuration guide) that covers limiting access based on custom endpoint attributes.

 

Your help is appreciated.

3 ACCEPTED SOLUTIONS

Accepted Solutions
Odysseu$
Beginner

Thanks for that and what you are showing is what I expect to see.  The question is how do I get the attribute to show up in a library for a policy?  I find no where in my libraries the ability to use that custom endpoint attribute.  In your picture it appears to have endpoints having a CustomAttr field...how did that happen?  My point is I cannot connect the dots from creating the attribute to having it actually appear as an option in a policy. 

View solution in original post

Hi @Odysseu$ 

 please double check if you are not trying to add the Endpoint Custom Attribute in the Authentication Policy ... for this kind of Conditions you should add it in the Authorization Policy.

 

Hope this helps !!

View solution in original post

So one thing for anyone who reads this.  To get the authorization policy to show.  This is what must be done.

 

Create a policy set.  Add some form of connectivity as the condition (802.1x, MAB, etc) then SAVE THE POLICY (key thing not mentioned anywhere).  After you save the policy there is a big > at the end of the policy (notice there is nothing that says this is how you find authorization policy) if you click on the big > it will expand out the policy and behold the authorization policy makes its appearance.  If you try to click on > without saving, it doesn't work and you can't see the authorization policy.

 

Thank you everyone that helped.  All of your replies are all true and part of the solution.

 

View solution in original post

8 REPLIES 8

I appreciate that. And if I was using a version that presented an
authorization policy in the policy set configuration I think I would have
it. When I add a condition in the policy set this is what I get:

[image: image.png]

And there is no way to use the CUSTOMATTRIBUTE dictionary that my custom
endpoint items exist in in a policy set, what am I missing?

[image: image.png]

Hi @Odysseu$ 

 create your Endpoint Custom Attribute at:

Administration > Identity Management > Settings > Endpoint Custom Attribute:

01.png

At Policy > Policy Set > select your Policy > Authorization Policy ... at the Attribute condition, type your Custom Attribute:

02.png

 

Hope this helps !!!

Odysseu$
Beginner

Thanks for that and what you are showing is what I expect to see.  The question is how do I get the attribute to show up in a library for a policy?  I find no where in my libraries the ability to use that custom endpoint attribute.  In your picture it appears to have endpoints having a CustomAttr field...how did that happen?  My point is I cannot connect the dots from creating the attribute to having it actually appear as an option in a policy. 

View solution in original post

Hi @Odysseu$ 

 please double check if you are not trying to add the Endpoint Custom Attribute in the Authentication Policy ... for this kind of Conditions you should add it in the Authorization Policy.

 

Hope this helps !!

View solution in original post

In addition to the information provided by Marcelo for defining the Endpoint Custom Attribute and creating a Condition and/or Authorisation Policy to use it, the endpoint needs to be associated with that attribute.

If the attribute is not being provided by an External Identity Source like AD, you will need to manually edit the endpoint in Context Visibility and assign the custom attribute you defined.

 

Example:

Creating the attribute

Screen Shot 2021-04-19 at 11.49.56 am.png

Defining the AuthZ Policy

Screen Shot 2021-04-19 at 11.53.13 am.png

Assigning the attribute to the Endpoint

Screen Shot 2021-04-19 at 11.53.39 am.png

So one thing for anyone who reads this.  To get the authorization policy to show.  This is what must be done.

 

Create a policy set.  Add some form of connectivity as the condition (802.1x, MAB, etc) then SAVE THE POLICY (key thing not mentioned anywhere).  After you save the policy there is a big > at the end of the policy (notice there is nothing that says this is how you find authorization policy) if you click on the big > it will expand out the policy and behold the authorization policy makes its appearance.  If you try to click on > without saving, it doesn't work and you can't see the authorization policy.

 

Thank you everyone that helped.  All of your replies are all true and part of the solution.

 

View solution in original post

thomas
Cisco Employee
Content for Community-Ad