Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5198
Views
23
Helpful
8
Replies

How to use Endpoint Custom Attributes to control network access (DACL or VLAN)?

Go to solution
Odysseu$
Level 1
Level 1

‎04-17-2021 02:05 PM

I would like to use an endpoint custom attribute to trigger the network access a device has.  So as an example if I have a device that has a endpoint custom attribute of Display, I would like to use that as a condition to assign a specific DACL or vlan to that device while it is on the network.

 

Can anyone point me in the right direction to get this done?  I have created a results with authorization profiles for each the vlan and one for the dacl but I do not know how to apply them in a policy set.  I would imagine the logic would be if you connected via wired or wireless mab and the device has a custom endpoint attribute assigned where the "custom device type" equals "Display" then either change the vlan or use a downloadable acl to control access for that device.  I just can't figure out how to do that, and I haven't found a resource (video, article, configuration guide) that covers limiting access based on custom endpoint attributes.

 

Your help is appreciated.

1 person had this problem
3 Accepted Solutions

Accepted Solutions

Go to solution
Odysseu$
Level 1
Level 1

‎04-18-2021 05:17 AM

Thanks for that and what you are showing is what I expect to see.  The question is how do I get the attribute to show up in a library for a policy?  I find no where in my libraries the ability to use that custom endpoint attribute.  In your picture it appears to have endpoints having a CustomAttr field...how did that happen?  My point is I cannot connect the dots from creating the attribute to having it actually appear as an option in a policy. 

View solution in original post

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to Odysseu$

‎04-18-2021 10:08 AM

Hi @Odysseu$ 

 please double check if you are not trying to add the Endpoint Custom Attribute in the Authentication Policy ... for this kind of Conditions you should add it in the Authorization Policy.

 

Hope this helps !!

View solution in original post

0 Helpful

Go to solution
Odysseu$
Level 1
Level 1
In response to Marcelo Morais

‎04-19-2021 05:42 AM - edited ‎04-19-2021 05:43 AM

So one thing for anyone who reads this.  To get the authorization policy to show.  This is what must be done.

 

Create a policy set.  Add some form of connectivity as the condition (802.1x, MAB, etc) then SAVE THE POLICY (key thing not mentioned anywhere).  After you save the policy there is a big > at the end of the policy (notice there is nothing that says this is how you find authorization policy) if you click on the big > it will expand out the policy and behold the authorization policy makes its appearance.  If you try to click on > without saving, it doesn't work and you can't see the authorization policy.

 

Thank you everyone that helped.  All of your replies are all true and part of the solution.

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Odysseu$
Level 1
Level 1
In response to MHM Cisco World

‎04-17-2021 03:38 PM

I appreciate that. And if I was using a version that presented an
authorization policy in the policy set configuration I think I would have
it. When I add a condition in the policy set this is what I get:

[image: image.png]

And there is no way to use the CUSTOMATTRIBUTE dictionary that my custom
endpoint items exist in in a policy set, what am I missing?

[image: image.png]
0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to Odysseu$

‎04-17-2021 09:18 PM

Hi @Odysseu$ 

 create your Endpoint Custom Attribute at:

Administration > Identity Management > Settings > Endpoint Custom Attribute:

01.png

At Policy > Policy Set > select your Policy > Authorization Policy ... at the Attribute condition, type your Custom Attribute:

02.png

 

Hope this helps !!!

Go to solution
Odysseu$
Level 1
Level 1

‎04-18-2021 05:17 AM

Thanks for that and what you are showing is what I expect to see.  The question is how do I get the attribute to show up in a library for a policy?  I find no where in my libraries the ability to use that custom endpoint attribute.  In your picture it appears to have endpoints having a CustomAttr field...how did that happen?  My point is I cannot connect the dots from creating the attribute to having it actually appear as an option in a policy. 

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to Odysseu$

‎04-18-2021 10:08 AM

Hi @Odysseu$ 

 please double check if you are not trying to add the Endpoint Custom Attribute in the Authentication Policy ... for this kind of Conditions you should add it in the Authorization Policy.

 

Hope this helps !!

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Marcelo Morais

‎04-18-2021 06:56 PM

In addition to the information provided by Marcelo for defining the Endpoint Custom Attribute and creating a Condition and/or Authorisation Policy to use it, the endpoint needs to be associated with that attribute.

If the attribute is not being provided by an External Identity Source like AD, you will need to manually edit the endpoint in Context Visibility and assign the custom attribute you defined.

 

Example:

Creating the attribute

Screen Shot 2021-04-19 at 11.49.56 am.png

Defining the AuthZ Policy

Screen Shot 2021-04-19 at 11.53.13 am.png

Assigning the attribute to the Endpoint

Screen Shot 2021-04-19 at 11.53.39 am.png

0 Helpful

Go to solution
Odysseu$
Level 1
Level 1
In response to Marcelo Morais

‎04-19-2021 05:42 AM - edited ‎04-19-2021 05:43 AM

So one thing for anyone who reads this.  To get the authorization policy to show.  This is what must be done.

 

Create a policy set.  Add some form of connectivity as the condition (802.1x, MAB, etc) then SAVE THE POLICY (key thing not mentioned anywhere).  After you save the policy there is a big > at the end of the policy (notice there is nothing that says this is how you find authorization policy) if you click on the big > it will expand out the policy and behold the authorization policy makes its appearance.  If you try to click on > without saving, it doesn't work and you can't see the authorization policy.

 

Thank you everyone that helped.  All of your replies are all true and part of the solution.

 

0 Helpful
Customers Also Viewed These Support Documents