Solved: Re: ISE Authz for AC 4.7 UDID

VVVENKAT · ‎05-28-2019

With AnyConnect 4.7 sending UDID to ISE, one of my customer would like to use the same in AuthZ condition and check against SQL db before granting complete access. The UDID is sent as "PhoneID" by AnyConnect. Just wanted to confirm if I can create a custom user attribute with internal name as PhoneID and write an AuthZ to check the value against SQL db.

Many Thanks

V.Venkata Manikandan

Jason Kunst · ‎05-28-2019

I don’t think this is possible but will check with the SME

View solution in original post

Nidhi · ‎06-03-2019

UDID is not exposed via API.

Also, regarding your initial query , as Jason mentioned, you cannot use the UDID attribute in Authz profile today.

The use use case we support today is with Posture condition wherein we can manually add the UDID to AD attribute and use it to get compliance information from AD.

Thanks,

Nidhi

View solution in original post

Jason Kunst · ‎05-28-2019

I don’t think this is possible but will check with the SME

VVVENKAT · ‎05-28-2019

Thanks Jason. Will wait for the response.

Many Thanks

V.Venkata Manikandan

VVVENKAT · ‎05-29-2019

Hi Jason,

Also, is this PhoneID exposed via ISE API or PxGrid Session Object?

Many Thanks

V.Venkata Manikandan

Nidhi · ‎06-03-2019

UDID is not exposed via API.

Also, regarding your initial query , as Jason mentioned, you cannot use the UDID attribute in Authz profile today.

The use use case we support today is with Posture condition wherein we can manually add the UDID to AD attribute and use it to get compliance information from AD.

Thanks,

Nidhi

toyip · ‎07-13-2021

Hi Nidhi,

Got a customer looking to use the UDID in the posture condition. Do you have a working example of how this is done as you stated above?

Marcelo Morais · ‎07-13-2021

Hi @toyip ,

I haven't tried the following yet, but it's worth a shot ...

AD

. insert the UDID in the description field (fo ex.:) of an user.

ISE

. Administration > Identity Management > External Identity Sources > Active Directory > select your AD, at Attributes tab, select an attribute from AD (for ex.: description)

. Policy > Policy Sets > select you policy > Authorization Policy:

- Condition:

Cisco.cisco-av-pair CONTAINS <your AD>.description

Note: in this case the Cisco.cisco-av-pair has the UDID of the user.

Hope this helps !!!

toyip · ‎07-14-2021

Hi Marcelo,

Thanks for your reply. I thought the UDID was part of a posture condition as suggested by the other folks in this thread. But your suggestion says otherwise (no posturing involved). I've been looking at the posture conditions in a lab, but not seeing how you can use the UDID in it.

To clarify, the UDID has to be added in AD itself, then ISE picks it up as an AD attribute. Is that correct?

Marcelo Morais · ‎07-14-2021

Hi @toyip ,

that's correct. UDID has to be added in AD itself.

Note: just like adding a IP Telephone Number on the AD (for example: using the ipPhone attribute)

Regards.