Send interface description in Radius Attribute

umahar · ‎10-01-2017

Is there any way to send interface description or any other value which can uniquely identify an interface from radius requests ?

eg.

interface f0/0

description AP

I want to send "AP" in any of the radius attributes or Cisco VSAs to ISE.

In other words I want to send an attribute which can be set to an interface via CLI.

Please let me know if anyone can think of any idea.

Arne Bier · ‎10-02-2017

Not sure if there is a NAD config that would send the interface description, but have you tried interpreting the NAS-Port attribute, using attribute nas-port format in IOS to give you interface naming? Your mileage may vary based on what IOS you're using, and what port type you're using. But worth testing in the lab if you can.

Cisco IOS has a VSA that may also help

radius-server vsa send authentication

aaa nas port extended

ITCOMMS · ‎10-03-2017

Hi Utkarsh,

I asked a similar question here : https://supportforums.cisco.com/t5/aaa-identity-and-nac/send-interface-description-to-ise/td-p/3093103

When I was testing I enabled RADIUS debugs on the switch and modified various options to see if the description was ever sent and unfortunately it was not.

If you find a way to do it would you mind letting me know?

Likewise if you raise an enhancement request if you give me the reference I will attach my own case to it.

Cheers.

Joshua Robertson · ‎03-30-2018

I had a similar requirement from a customer (tag certain ports to be treated differently), and I was able to utilize the NAS-Port-Type attribute to send a Port-Type other than Ethernet and filter on the new type being sent for those ports. Not ideal, but may be a usable workaround for you. On the switch port, configure with 'radius attribute nas-port-type <type id>'.

https://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-13