Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3590
Views
16
Helpful
4
Replies

ISE normalized radius vs radius attributes

Go to solution
Maurice Ball
Level 3
Level 3

‎04-02-2020 02:03 AM

What is the difference between an ISE normalized radius attribute vs an ISE radius attribute?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maurice Ball
Level 3
Level 3
In response to Mike.Cifelli

‎04-03-2020 12:58 AM

The following is what I needed to know. Here is a great answer provided by Arne Bier.

Re: Use Cases for various RADIUS Attributes in Cisco ISE

 

 

Hi @Maurice Ball 

 

A Normalised RADIUS attribute in ISE is a convenient abstraction that allows us to use a common attribute in our Policy Set Logic in a multi-vendor environment. E.g. if you have a mix of Cisco and Aruba WLC's, then you can either do it the hard way, by checking for the vendor specific attributes used, e.g. Cisco uses attribute Called-Station-ID for the SSID, and Aruba uses Aruba-Essid-Name.  Perhaps a bad example, because I am no Aruba guru ;-) - but you get the point. There are other instances where vendor A signals a MAB Auth request with Service-Type = "Call-Check" and another vendor uses Service-Type = "Blah".  Cisco ISE has multi-vendor support, and as long as you set the NAS with the correct Device Vendor Type ("Device Profile") then ISE does the internal mapping for you. Then you can use abstractions like Normalised Radius SSID which is vendor agnostic. You no longer need to care how it works under the hood.

Other abstractions are things like the Compound Conditions like Wireless_8021X and Wired_802.1X - have a look at those in detail and you can see that each vendor does it slightly differently.

View solution in original post

4 Replies 4

Go to solution
Maurice Ball
Level 3
Level 3
In response to gurbinder.kabbay

‎04-02-2020 04:28 AM

I do not see the answer to my question in the post listed below.

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-02-2020 06:08 AM

They represent separate attributes that you can reference as conditions in your ISE policies. The breakdown of attributes for radius vs normalized radius attributes is covered perfectly here:
https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253#toc-hId--26278376
HTH!
0 Helpful

Go to solution
Maurice Ball
Level 3
Level 3
In response to Mike.Cifelli

‎04-03-2020 12:58 AM

The following is what I needed to know. Here is a great answer provided by Arne Bier.

Re: Use Cases for various RADIUS Attributes in Cisco ISE

 

 

Hi @Maurice Ball 

 

A Normalised RADIUS attribute in ISE is a convenient abstraction that allows us to use a common attribute in our Policy Set Logic in a multi-vendor environment. E.g. if you have a mix of Cisco and Aruba WLC's, then you can either do it the hard way, by checking for the vendor specific attributes used, e.g. Cisco uses attribute Called-Station-ID for the SSID, and Aruba uses Aruba-Essid-Name.  Perhaps a bad example, because I am no Aruba guru ;-) - but you get the point. There are other instances where vendor A signals a MAB Auth request with Service-Type = "Call-Check" and another vendor uses Service-Type = "Blah".  Cisco ISE has multi-vendor support, and as long as you set the NAS with the correct Device Vendor Type ("Device Profile") then ISE does the internal mapping for you. Then you can use abstractions like Normalised Radius SSID which is vendor agnostic. You no longer need to care how it works under the hood.

Other abstractions are things like the Compound Conditions like Wireless_8021X and Wired_802.1X - have a look at those in detail and you can see that each vendor does it slightly differently.

Customers Also Viewed These Support Documents