06-15-2018 08:22 AM - edited 02-21-2020 10:58 AM
Hello,
I'd like to share a couple of ideas for features I'd like to see in the next versions of ISE: as far as I know, they are not available, but feel free to correct me if I'm wrong!
1) Ability to modify Policy Sets via REST API: it is already possible to modify lots of things via API (complete list here); however, policy sets cannot be created/modified/deleted via API. This is like having a bathtub full of lego bricks and not being able to play with them!
2) Ability to use references to attributes in authorization profiles: that would allow for some pretty neat tricks. Let's suppose, for example, that you want to use the Identity PSK feature of Cisco WLC 8.5; this is a new feature that allows you to set different pre-shared keys for different clients for an SSID using WPA-PSK (see here for an overview). However, if I'm not mistaken, you have to write a new authorization rule and a new authorization profile for every different PSK.
It would be much better, in my opinion, to simply add an attribute to the Endpoints (let's call it ipsk) and reference it in a single authorization profile.
Instead of having multiple authorization profiles like these, each with its own authorization rule...
Access Type = ACCESS_ACCEPT
cisco-av-pair = psk-mode=ascii
cisco-av-pair = psk=SharedPassword1
Access Type = ACCESS_ACCEPT
cisco-av-pair = psk-mode=ascii
cisco-av-pair = psk=SharedPassword2
Access Type = ACCESS_ACCEPT
cisco-av-pair = psk-mode=ascii
cisco-av-pair = psk=SharedPassword3
You would have a single authorization profile, with a reference to the attribute and a single authorization rule, referencing the "dynamic" authorization profile.
Access Type = ACCESS_ACCEPT
cisco-av-pair = psk-mode=ascii
cisco-av-pair = psk=$InternalEndpoint.ipsk
This feature would not be strictly necessary if we had feature #1, but would still allow for much more compact authorization rules.
The predefined authorization profile Cisco_WebAuth already has something like that:
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=ACL_WEBAUTH_REDIRECT
cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=404e0f70-2e02-11e8-ba71-005056872c7f&action=cwa
The references ip, port and SessionIdValue are populated at runtime.
Is there some Cisco overlord out there that can tell us if something like this has ever been considered?
Best regards,
Silla
Solved! Go to Solution.
06-15-2018 09:00 AM
Hi,
You might have better luck reaching out to Cisco here.
In regard to your scenario you mentioned, I previously labbed a similar scenario for management of FlexVPN PSK, normally I'd have created a unique Authorization Profile per VPN peer which can become very tedious. What you can do is create a User Custom Attribute e.g VPN-PSK, then create an Internal ISE user, fill in the string value as your PSK in the custom attribute field VPN-PSK. Create 1 Authorization Profile and define an advanced attribute setting:- Radius:Tunnel-Password = InternalUser:VPN-PSK. You would then use this Authorization Profile in a rule and it would query the defined in the VPN-PSK field under the user/vpn peer being authorized.
This may be helpful to you.
06-15-2018 09:00 AM
Hi,
You might have better luck reaching out to Cisco here.
In regard to your scenario you mentioned, I previously labbed a similar scenario for management of FlexVPN PSK, normally I'd have created a unique Authorization Profile per VPN peer which can become very tedious. What you can do is create a User Custom Attribute e.g VPN-PSK, then create an Internal ISE user, fill in the string value as your PSK in the custom attribute field VPN-PSK. Create 1 Authorization Profile and define an advanced attribute setting:- Radius:Tunnel-Password = InternalUser:VPN-PSK. You would then use this Authorization Profile in a rule and it would query the defined in the VPN-PSK field under the user/vpn peer being authorized.
This may be helpful to you.
06-15-2018 09:29 AM
Hello,
thank you very much for your answer!
What you can do is create a User Custom Attribute e.g VPN-PSK, then create an Internal ISE user, fill in the string value as your PSK in the custom attribute field VPN-PSK. Create 1 Authorization Profile and define an advanced attribute setting:- Radius:Tunnel-Password = InternalUser:VPN-PSK. You would then use this Authorization Profile in a rule and it would query the defined in the VPN-PSK field under the user/vpn peer being authorized.
I've tried doing something very similar using a custom attribute for an endpoint, instead of a user, but I couldn't get it to work. But if it works in your case, maybe I can get it to work in mine!
Best regards,
Silla Rizzoli
06-22-2018 10:03 AM
I got it to work in my case too! So I guess we already have feature #1, so #2 is not strictly needed...
Ciao!
12-27-2018 03:52 AM
I think this will help you
Greetings
Philip
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide