Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1271
Views
0
Helpful
4
Replies

ISE policy

Go to solution
Spyros Kasapis
Level 1
Level 1

‎04-20-2020 01:09 PM

Hello , 

 

is there a way to create a policy based on DestinationPort  radius attribute ? (1812 or 1645)

 

Thanks in advanced .

 

Spyros

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-20-2020 06:12 PM

I don't believe it is possible to create policy based on that value. There is no such attribute in the RADIUS RFC2865 and there are no Cisco-specific attributes that include this info in the supported ISE Network Access Attributes.

If you're wanting to create different policies based upon the Network Device initiating the RADIUS request, the common approach is to create Network Device Groups and use those as conditions in your policies.

 

View solution in original post

0 Helpful

Go to solution
Spyros Kasapis
Level 1
Level 1
In response to Spyros Kasapis

‎04-21-2020 06:14 AM

We found a solution

 

 

In ASA we make the requests from different ip addresses (interfaces).

In ISE the policy matches with the NAS IPv4 Address which is different .

 

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-20-2020 05:16 PM

Take a look at this link:
https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253#toc-hId-1189009796
You may be able to utilize the NAS-Port attribute to meet your needs. HTH!
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-20-2020 06:12 PM

I don't believe it is possible to create policy based on that value. There is no such attribute in the RADIUS RFC2865 and there are no Cisco-specific attributes that include this info in the supported ISE Network Access Attributes.

If you're wanting to create different policies based upon the Network Device initiating the RADIUS request, the common approach is to create Network Device Groups and use those as conditions in your policies.

 

0 Helpful

Go to solution
Spyros Kasapis
Level 1
Level 1
In response to Greg Gibbs

‎04-20-2020 11:40 PM - edited ‎04-21-2020 12:21 AM

Thank you for your quick reply ,

 

Greg you are right there is no such attribute in RFC .

I saw it in ISE in Authentication details (other attributes)  that's why i am asking.

attributes.jpg

 

I want to create a policy for requests coming from the same device , (an ASA) with two authentication methods (primary,secondary).

The primary authentication  should match the first policy and the secondary the other .

0 Helpful

Go to solution
Spyros Kasapis
Level 1
Level 1
In response to Spyros Kasapis

‎04-21-2020 06:14 AM

We found a solution

 

 

In ASA we make the requests from different ip addresses (interfaces).

In ISE the policy matches with the NAS IPv4 Address which is different .

 

 

 

0 Helpful
Customers Also Viewed These Support Documents