Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1736
Views
0
Helpful
2
Replies

ISE user dictionary, how to make it??

Raul Manzano Barroso
Level 1
Level 1

‎03-05-2013 07:23 AM - edited ‎03-10-2019 08:09 PM

Hi guys.

I'm virtually fighting with an ISE and its user dictionary policies. I need to match some devices using a field attribute called "

IdentityStoreName"; but this rule does not exist in system dictionary // InternalEndpoint that is the position where this rule (I think) should be located a created.

Ok, lets go with the user dictionary: I use the following information according other similar system dictionary rules.

Name: OwnerEndpoint.

Version: 1

Dictionary attribute Type: MSG_ATTR

Dictionary Type: User

And then, I create the dictionary attribute:

Attribute Name: IdentityStoreName

Description: IdentityStoreName

Internal Name: IdentityStoreName

Data Type: STRING

Dictionary: OwnerEndpoint

For the last two fields, the documentation says that both are drop-down list, but I only see that Data Type is a drop-down list.

"All attribute fields marked with an asterisk (*) require that you enter a value. All other fields are optional. The Data Type and Dictionary fields are drop-down lists that allow you to choose from a list of options."


http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_resources.html#wp1112473

Lastly, I create the allowed values that match with the IdentityStoreName field of the device selected.

Save and then, I create the authorization rule but It never seems to work. I don't know if I am doing something wrong or I'm missing any step.

I will be grateful if somebody tell me what can be failing or an example of a working user dictionary rule to see the "logical" of this feature. The documentation about this mechanism is a little bit low.

Thanks.


Labels:
0 Helpful
2 Replies 2

jrabinow
Level 7
Level 7

‎03-05-2013 08:48 AM

Can you please share some details of the use case you are trying to configure.

Why are you interested in this IdentityStoreName? What value are you planning to retrieve and what condition to check

0 Helpful

Raul Manzano Barroso
Level 1
Level 1
In response to jrabinow

‎03-06-2013 02:58 AM

Hi.

I want that ISE can match the device connected with the owner of this device registered in ISE DB because this condition permits me to apply a different results in fuction of the source of the device added to ISE. I will use the autoprovisioning feature using CWA; in this scenario until this step, only MAC address for the device is known and then no other policies can profiled to the users and devices.

IdentityStoreName is an intetesting field for me because this field points to the LDAP query group that que user that added the device belongs to. At this way, I could apply some attributes for every devices added by an user belonging to this group.

In Identity/endpoints, if you select any device you can see lot of attributes for the device added; one of them is

IdentityStoreName that storages the information of the identity store name listed where the users is located.

Thanks in advanced.

Best Regards.

0 Helpful
Customers Also Viewed These Support Documents