[ISE] Return endpoint group name as an advanced attribute value on authorization profile

Antho_Balitrand · ‎04-20-2018

Hello guys !

Another question about ISE :-)

I would like to return the endpoint group name as an Advanced attribute value on an authorization profile.

The reason : several endpoint groups, each one corresponding to a VLAN name. I want each endpoint to have the VLAN corresponding to its endpoint group dynamically assigned.

That's why I need to return the endpoint's endpoint group name as a value for the Tunnel-Private-Group-ID RADIUS attribute.

This attribute is not available on the "endpoints" categorie of the Advanced attributes values:

There's a "name" value available on the "Identity Group" category, but when I try with this one, the attribute is not returned on the RADIUS response, and I have this log on the request detail:

Can someone help me on this topic?

Octavian Szolga · ‎04-23-2018

Hi,

I don't have access to any ISE now, but if the built in attribute is not available for a direct mapping, I belive you can create your own custom endpoint attribute (group) in system dictionaries (I think) and use that instead for dynamic substitution.

Regards,

Octavian

Antho_Balitrand · ‎04-23-2018

Hello Octavian,

Yes, it's exactly what I did. I created an endpoint custom attribute, and I have a script synchronizing the value of this custom attribute with the name of the endpoint group of each endpoint.

But it's not very efficiant, and not simple. It would be so much simple to juste be able to return the endpoint's endpoint group name as an Advanced radius attribute value...