10-01-2017 08:15 PM
Is there any way to send interface description or any other value which can uniquely identify an interface from radius requests ?
eg.
interface f0/0
description AP
I want to send "AP" in any of the radius attributes or Cisco VSAs to ISE.
In other words I want to send an attribute which can be set to an interface via CLI.
Please let me know if anyone can think of any idea.
10-02-2017 04:38 PM
Not sure if there is a NAD config that would send the interface description, but have you tried interpreting the NAS-Port attribute, using attribute nas-port format in IOS to give you interface naming? Your mileage may vary based on what IOS you're using, and what port type you're using. But worth testing in the lab if you can.
Cisco IOS has a VSA that may also help
radius-server vsa send authentication
aaa nas port extended
10-03-2017 02:46 AM
Hi Utkarsh,
I asked a similar question here : https://supportforums.cisco.com/t5/aaa-identity-and-nac/send-interface-description-to-ise/td-p/3093103
When I was testing I enabled RADIUS debugs on the switch and modified various options to see if the description was ever sent and unfortunately it was not.
If you find a way to do it would you mind letting me know?
Likewise if you raise an enhancement request if you give me the reference I will attach my own case to it.
Cheers.
03-30-2018 09:24 AM
I had a similar requirement from a customer (tag certain ports to be treated differently), and I was able to utilize the NAS-Port-Type attribute to send a Port-Type other than Ethernet and filter on the new type being sent for those ports. Not ideal, but may be a usable workaround for you. On the switch port, configure with 'radius attribute nas-port-type <type id>'.
https://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-13
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide