Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
771
Views
1
Helpful
10
Replies

NAD Group tree remove

Go to solution
rvacher
Cisco Employee
Cisco Employee

‎10-24-2017 09:22 AM

Hi all,

I am working on a POV where I need to create an authorization rule that is the following:

  • If “NameOfTheLocation” contains “AD Group that the user belongs” (string comparison) then Access

Which gives the following:

But I realized it does not work as the output is the following:

Is there a way to remove #Location#All Locations in the location output?

Thanks in advance

1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to rvacher

‎10-25-2017 10:53 AM

Yep that should work. Again this is at the WLC level not AP level when you do network device stuff.  So assuming you have a WLC at each of the 4000 locations, you load them all into ISE as a network device and fill out the model name correctly you can match to AD/LDAP attributes.

I just tested with my setup and worked perfectly.  I setup a user in AD and used the Office field as my flag:

Capture.JPG

I then mapped that attribute into ISE:

Capture.JPG

I made sure that string was defined under my Network Device:

Capture.JPG

Then I built my rule:

Capture.JPG

Worked perfectly in the live logs:

Capture.JPG

So you should be able to do the same with matching an LDAP attribute.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎10-24-2017 12:03 PM

Hi Remi,

If you are using AD groups, you need to download the groups from AD and use them in your conditions. You cant map an AD group to locations. You have to use an attribute in the AD group that contains the location if it is available in the AD.

Not clear what you are looking to do.

Thanks

Krishnan

0 Helpful

Go to solution
rvacher
Cisco Employee
Cisco Employee
In response to kthiruve

‎10-24-2017 12:41 PM

Hi Krishnan,

Let me explain again :

- Objectif : Check if a user that connect to the network work in the place he is connecting from without using one rule for each of the office (4000) as it wouldn't scale

- Want we do is a comparison between the AD Group that this user belong (to check in which office he works) and the name of the device where the request come from (AD Group and Location defined in ISE match in terms of syntax)

Problem that I have when doing that - Location attributes gives me the following while I would just need to get HB9B8

If I was getting HB9B8 it would work as my rule is "memberOf" contains "HB9B8"

But with the Location#All Locations Iit does not. I was thinking to create a Network Device Group Root but I realized it would still have a chain..Is there any way I could define my variable HB9B8 when I configure my NAD to be able to do this comparison?

Thanks

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to rvacher

‎10-25-2017 06:44 AM

Unless you have a WLC at every location this may not work.  The NDG location is the location of the network device making the RADIUS request.  If you have APs all over the place controlled by a central WLC then this probably won't work.

If you look a the RADIUS Called Station ID like Dustin recommended you have options there.  On the WLC under RADIUS->Authentication you can change what the WLC uses for the RADIUS Called Station ID.  The default is AP MAC:SSID.  Change that to AP Name:SSID.  Now you will have the name of the AP name the user is connecting to in the RADIUS Called Station ID.

Assuming your have good AP naming conventions, like HB9B8-AP1, HB9B8-AP2, etc. then you can write a condition to say:


RADIUS Called Station ID contains HB9B8 and them write a rule that says:


If Member of WIFIHotel-HB9B8 and RADIUS Called Station ID contains HB9B8 then allow the user to connect.

0 Helpful

Go to solution
rvacher
Cisco Employee
Cisco Employee
In response to paul

‎10-25-2017 06:58 AM

Hi Paul, Dustin,

Yes but this would be for a unique hotel : (there are 4000)

If Member of WIFIHotel-HB9B8 and RADIUS Called Station ID contains HB9B8 then allow the user to connect.


I would need to do :

If Member of ADGroup (WIFIHotel-HB9B8) contains RADIUS Called Station ID (HB9B8) then allow the user to connect.


I don't think it would work if RADIUS Called Station ID has something more than HB9B8 as an output...


Rémi

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to rvacher

‎10-25-2017 08:05 AM

The RADIUS Called Station ID has whatever output you configure on the controller. Like I said if you modify it to “AP Name:SSID” you should be set. As an example the AP named Hotel1-AP1 and an SSID called Internal-Access would have a RADIUS Called Station ID of “Hotel1-AP1:Internal-Access”. So I could have a condition saying if RADIUS Called Station ID contains “Hote1” to know the user is connecting to Hotel 1’s Wifi. You are right this may not scale to 4000, but I wouldn’t think all 4000 hotels have unique access requirements.

I am assuming this is a hotel group like Starwood or something that may have brands underneath it. So you could AP name like this:

Marriott-LosAngeles-AP1

Marriott-SanFrancisco-AP1

Hyatt-LosAngeles -AP1

Then I could key off if the RADIUS Called Station ID contains Marriott then craft rules who can access the SSID at Marriott hotels.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
rvacher
Cisco Employee
Cisco Employee
In response to paul

‎10-25-2017 10:24 AM

Yes Paul in that way a person working at Marriot-Paris will also be able to access network from Marriot-London.

Is there a way to just get the first part of RADIUS Called Station ID to compare it?

Can't I put my HB8B9 in model name for example and use that in the Authorization rule? screenshot3.png

0 Helpful

Go to solution
rvacher
Cisco Employee
Cisco Employee
In response to rvacher

‎10-25-2017 10:44 AM

screenshot7.pngscreenshot6.png

Don't you think that this could work? Would the output of Model Name will be HB2829?

Thanks

Rémi

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to rvacher

‎10-25-2017 10:59 AM

This should work as well. The contains should work for AD group matching.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to rvacher

‎10-25-2017 10:53 AM

Yep that should work. Again this is at the WLC level not AP level when you do network device stuff.  So assuming you have a WLC at each of the 4000 locations, you load them all into ISE as a network device and fill out the model name correctly you can match to AD/LDAP attributes.

I just tested with my setup and worked perfectly.  I setup a user in AD and used the Office field as my flag:

Capture.JPG

I then mapped that attribute into ISE:

Capture.JPG

I made sure that string was defined under my Network Device:

Capture.JPG

Then I built my rule:

Capture.JPG

Worked perfectly in the live logs:

Capture.JPG

So you should be able to do the same with matching an LDAP attribute.

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎10-24-2017 02:01 PM

I think I get what you are asking. Are there other things using that name that you could maybe call like radius call station ID?

Does each location have a WLC by that name and call the NAD name?

I'm not sure what is all possible, Would be nice to be able to use regex in rules.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents