Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
370
Views
0
Helpful
1
Replies

OTP Server Returned Attributes Question

scamarda
Cisco Employee
Cisco Employee

‎10-09-2018 10:05 PM

I am setting up ISE 2.3 with OpenOTP.  Connectivity is working between ISE and the OTP server.  I'd like to return a value to ISE to place the user in a specific ASA group policy.  I can get it to work when I set the OTP Server with this config

 

cisco-avpair ACS:CiscoSecure-Group-Id=usergroup   where the usergroup is the value I would like to return.

 

I would like to extract the value from the LDAP department value instead of hard coding the value like above.

 

I've tried a few different combinations and can see the desired attribute using radtest. However the ISE does not recognize the value.  I've tried attribute ASA-Group-Policy with LDAP:Department.  I also modified the OTP Attribute to be both LDAP and ASA-Group-Policy.  I'm not sure how that would be set up in this case though.

 

Can I pull a value from LDAP and return it to ISE to use to assign ASA Group Policy?  If so, can you please share the syntax?

 

Thanks.

Sam 

0 Helpful
1 Reply 1

paul
Level 10
Level 10

‎10-10-2018 05:42 AM

I don't use LDAP but works perfect with AD.  Added this to my authorization policy (using description as example from AD):

Capture.JPG

 

The Class attribute got added to the authorization results as expected:

 

Capture.JPG

0 Helpful
Customers Also Viewed These Support Documents