Solved: Re: Send User-Name back to NAD

Ricardo T Duarte · ‎10-24-2018

Hi there,

As far as I know, most NADs (ex.: WLC, Catalysts) accept the "User-Name" back from the RADIUS server.

I'm currently using this, with my current in-house built RADIUS, to send the real user to the WLC when doing MAB.

So, a user registers it's device by MAC, the NAD makes the request using MAC address but get's back the real name. So, when I go to the WLC page I can see the real user, not the mac.

Unfortunately ISE seems to set the User-Name as Input only (Direction = IN), so I can't send it back on Access-Accept, and as far as I can see I can't edit the dictionary entry because it's a default one.

How can I overcome this problem?

Thanks

Arne Bier · ‎10-24-2018

@Ricardo T Duarte - amen brother! that's the feature I've also been looking for and waitng for in ISE 2.4 but it never made it. It's such a trivial request too. Any radius server should be able to do this. Lack of this feature is also causing me pain with my MAB Remember Me call flows.

I was doing exactly the same thing with Cisco Acces Registrar (but there I had the power of tcl scripting to add almost unlimited features to the product - attribute manpulation was the most important and most powerful feature of this product - no need to wait for a BU to "introduce new features"!!!). One of my wishes for ISE is that they open the product up to allow scripting points. So that we can interact at various points of the packet processing. Imagine what we could do with this product!

if you can add your weight to the discussion then that would be amazing. I think Cisco prefers you send product enhancements via the ISE tool itself ("Feedack" in the Help page) - but not sure where that lands up.

View solution in original post

Jason Kunst · ‎10-24-2018

Agree also see https://community.cisco.com/t5/security-documents/ise-2-3-remember-me-guest-using-guest-endpoint-group-logging/ta-p/3641150

There is a defect there about sending username. Please provide this in your feedback

View solution in original post

Arne Bier · ‎10-24-2018

@Ricardo T Duarte - amen brother! that's the feature I've also been looking for and waitng for in ISE 2.4 but it never made it. It's such a trivial request too. Any radius server should be able to do this. Lack of this feature is also causing me pain with my MAB Remember Me call flows.

I was doing exactly the same thing with Cisco Acces Registrar (but there I had the power of tcl scripting to add almost unlimited features to the product - attribute manpulation was the most important and most powerful feature of this product - no need to wait for a BU to "introduce new features"!!!). One of my wishes for ISE is that they open the product up to allow scripting points. So that we can interact at various points of the packet processing. Imagine what we could do with this product!

if you can add your weight to the discussion then that would be amazing. I think Cisco prefers you send product enhancements via the ISE tool itself ("Feedack" in the Help page) - but not sure where that lands up.

Jason Kunst · ‎10-24-2018

Agree also see https://community.cisco.com/t5/security-documents/ise-2-3-remember-me-guest-using-guest-endpoint-group-logging/ta-p/3641150

There is a defect there about sending username. Please provide this in your feedback

Ricardo T Duarte · ‎10-24-2018

How hard can it be for Cisco to go to the dictionary and set the direction to "BOTH"...

I miss ClearPass. It allowed me to build my responses combining multiple attributes, that could come from multiple sources.

Arne Bier · ‎10-24-2018

@Ricardo T Duarte - let's say Cisco made it direction = BOTH - what would you do next? I am interested to know what your approach would be.

cheers

Ricardo T Duarte · ‎10-24-2018

Scenario 1 - ISE standalone

Advanced Attributes

\ User-Name = PortalUser

would prefer not to have @domain on the PortalUser, but that would already be something.

Scenario 2 - External Database

I also have my own external mysql database that has MAC addresses and UserNames that registered them

Advanced Attributes

\ User-Name = Username (from External DB)

Scenario 3 - Passive Id

Advanced Attributes

\ User-Name = Username (from Passive Id)

I'm assuming ISE does expand those values to their values, and will not put a "Username" word there.

I would also then use this to update my firewall IP-to-User mapping, by using a accounting proxy in-between ISE and NAD.

Currently I have to rely on a in-house built pxgrid solution that subscribe for session info and then get's the username.

Arne Bier · ‎10-24-2018

oh that's brilliant! Thanks you've just taught me something new in ISE. I guess in hindsight it's quite obvious, but I never thought of trying to overwrite the User-Name (not that I could, because it's IN only). But there're a lot of other dictionary attributes that can be utilised there - might be something I need to keep in mind.

thanks for that useful pointer.

Ricardo T Duarte · ‎10-24-2018

I didn't try to see if ISE does substitute the variable name with it's value, under advanced attributes.

I'm assuming it does, given that it allows me to select the available attributes from a list.

If it doesn't, then, the problem is worst than I thought. Another feature request.

Ricardo T Duarte · ‎10-24-2018

Ok,

Made a quick test, and ISE just puts the text there.

It does not expand the variables.

Example:

I put a advanced attribute there, and selected the value as EndPoints:LogicalProfile.

The response shows the text "EndPoints:LogicalProfile" and not the real value.

Jason Kunst · ‎10-24-2018

Great feedback send to PMs

howon · ‎10-24-2018

If anyone happen to create a TAC SR regarding this, make sure to attach it to the following defect:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm77990/ (Certain RADIUS attribute direction is not RFC2865 compliant)

klecompte · ‎07-16-2019

Why is this marked Solved! This isn't solved at all. I can't understand how this product has made it this far without this very simple and RFC required feature. This is one of the first features I enabled with FreeRADIUS and it was simple, powerful and straight forward. This is just sad.

Jason Kunst · ‎07-16-2019

This is marked as solved because technically it can't be done and is a feature request. please reach out to our PMs with your customer info at http://cs.co/ise-feedback and attach to the defects under this posting https://community.cisco.com/t5/security-documents/ise-2-3-remember-me-guest-using-guest-endpoint-group-logging/ta-p/3641150
CSCvh04231 & CSCva66612 Enhancement for future, please reach out to our Product Managers via - http://cs.co/ise-feedback Guest remember me radius accounting and access accept not sending guest username