cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

137
Views
0
Helpful
2
Replies
Highlighted
Beginner

Issue with ISE AuthZ Policy

We have an issue with ISE selecting the appropriate AuthZ policy based on the device NDG name.  A customer has 200+ locations, with each location having a specific code to specify the geographical location / building / floor. Their business requirement is that only computers appropriate code in their hostname can connect to appropriate locations/switches.

Example:

Location codes: ABC, CDF1, FGH2B

Valid Computer hostnames: WABC12312, PCDF14415, BFGH2B5543

So far, I've created a new Network Device Group hierarchy, containing the location codes, and have attached that to the switches on the specific locations.

 

Authentication of computers is performed via  EAP-TTLS/MSCHAPv2 and that works fine. The issue comes with the AuthZ rules, where I wanted to:

      Computers: check whether the computer name contains the location code (derived from switch's NDG)

So, the problem I'm seeing is that the NDG string that I get when trying to use »Contains« or »Starts with« does not contain the actual 3-5 letter code, but rather the string in the format of »Group name#Category#LocationCode«, which I can of course not use when directly comparing the two strings (computer name). I would really need just the part after the latest '#' sign, but have no clue how to tell ISE that.. Any ideas on how to achieve that? Currently ISE fails the check, and falls back to the AuthZ rule, which only verifies the computer name.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Network Device Groups (NDG) are hierarchical and the names always include the full path from the root to the leaf and the left-hand-side (LHS) of ISE attribute-to-attribute comparison has to be a full name. As a result, I do not see an option to use NDG. You might try other attributes, such as the description, the model name, or software version, instead. Perhaps, we should also ask an enhancement for custom attributes for network devices.

View solution in original post

2 REPLIES 2
Highlighted
VIP Advisor

Interesting challenge.

I don't think it's possible.  This is where having an extensible framework would be handy (i.e. pre- and post- processing scripting points at various stages of the AAA processing).  Or allow more power in the Editor.

If (theoretically) you could flatten your Device Location structure, where every possible location was in the top level of the hierarchy (i.e. no hierarchy), then would this work?  I am not sure whether the string comparison would include all those '#' hashes.  Maybe you have tried this already.

Highlighted
Cisco Employee

Network Device Groups (NDG) are hierarchical and the names always include the full path from the root to the leaf and the left-hand-side (LHS) of ISE attribute-to-attribute comparison has to be a full name. As a result, I do not see an option to use NDG. You might try other attributes, such as the description, the model name, or software version, instead. Perhaps, we should also ask an enhancement for custom attributes for network devices.

View solution in original post