Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
0
Helpful
5
Replies

NAS_IP Starts With in Policy Sets

Go to solution
brbesset
Cisco Employee
Cisco Employee

‎07-09-2019 06:28 AM

In 2.3, you could create a Policy Set that had a "Starts with" condition for matching a NAS_IP. However, in 2.4, we are only seeing equals/not-equals as a condition. Is this a bug or did something change in 2.4 that removed the "starts with" condition?

 

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-21-2019 04:59 PM

Assuming this referring to Radius.NAS-IP-Address, I checked both ISE 2.2 and 2.3 in our lab and found its operator can only be Equals/No Equals, exactly the same as ISE 2.4.

ISE 2.2 introduces network conditions, which can be used to achieve this objective.

Screen Shot 2019-07-21 at 4.55.20 PM.png

Screen Shot 2019-07-21 at 4.56.20 PM.png

View solution in original post

0 Helpful
5 Replies 5

Go to solution
paul
Level 10
Level 10

‎07-10-2019 06:23 AM

Not sure if that is a bug or by design, but the Network Access·NetworkDeviceName.  That should be the name of the network device making the request.  Assuming you are trying to make a policy set for a particular location and that location has a good network device naming structure you should be able to use Starts with to get the desired effect.

0 Helpful

Go to solution
brbesset
Cisco Employee
Cisco Employee
In response to paul

‎07-10-2019 11:10 AM

I don't think we can use the Device Name as people can bring in their devices ad-hoc. That's why it would be based of "starts with."

 

I disagree that this is solved. Can someone let me know if it's a bug since it was overlooked from the 2.3 version? 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to brbesset

‎07-10-2019 11:18 AM

I am confused.  You were asking about NAS IP, which is the IP address of the network device authenticating against ISE.  No one is bring in ad-hoc network devices and somehow making them authenticate against ISE.  The NAS IP address structure and network device name structure should be a well understood and documented.  Assuming a good network device naming structure is in place doing network device name starts with should be similar to NAS IP starts with.

0 Helpful

Go to solution
brbesset
Cisco Employee
Cisco Employee
In response to paul

‎07-11-2019 01:24 PM

Paul, We do bring in ad-hoc equipment all the time. At least we move equipment from site to site depending on needs and don't change the hostnames. It's not the "best practice", but due to the nature of business, it happens. That's why we cannot use the name as a site location. That is why we were requesting the "Starts with" for IP. I still think it's a valid request.
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-21-2019 04:59 PM

Assuming this referring to Radius.NAS-IP-Address, I checked both ISE 2.2 and 2.3 in our lab and found its operator can only be Equals/No Equals, exactly the same as ISE 2.4.

ISE 2.2 introduces network conditions, which can be used to achieve this objective.

Screen Shot 2019-07-21 at 4.55.20 PM.png

Screen Shot 2019-07-21 at 4.56.20 PM.png

0 Helpful
Customers Also Viewed These Support Documents