cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4801
Views
0
Helpful
6
Replies

Using an AVpair value in an authorization rule

jpujol
Cisco Employee
Cisco Employee

Hi,

Within the list of a VPN session attributes, there are a few CiscoAVpair entries :

CiscoAVPair

mdm-tlv=device-platform=win,

mdm-tlv=device-mac=f0-d5-bf-23-97-04,

mdm-tlv=device-type=LENOVO 20FCS0NC1Q,

mdm-tlv=device-platform-version=10.0.10586 ,

mdm-tlv=ac-user-agent=AnyConnect Windows 4.3.03086,

mdm-tlv=device-uid=F5600BB8D654D66A726EB3C336965CED8A3EC152C8C6452FD07242C0CD589BB3,

The goal is to check if the "device-uid" or "device-mac" value belongs to a particular AD OU.

Is there a way to extract that string and play with that as a parameter in the authorization rule ?

thanks,

jean-francois

1 Accepted Solution

Accepted Solutions

I don’t think you can parse the attributes as individual fields. However, maybe you can do something like this:

View solution in original post

6 Replies 6

gbekmezi-DD
Level 5
Level 5

We have used cisco:cisco-av-pair successfully to access these attributes in an AuthZ rule in the past.

How do you select the attribute value ? using Cisco:cisco-av-pair gives the full "mdm-tlv=device-uid=F56.....blahbla" string. Any option to parse / remove a part of the string ?

thanks,

jean-francois

I don’t think you can parse the attributes as individual fields. However, maybe you can do something like this:

Hello,

Anyway of doing this but doing a database dip? Our scenario is also using the uid in the Cisco-av-pair but the number of endpoints is enormous making the conditions hard to handle. We would like to insert the uids into a database and query the database at time of authorization. Is there a way to do this?

 

Thanks in advance.

Hello @rhobab 

I have the exact scenario. Were you able to add the UIDs into a database and reference it in an authorization policy?

Regards,

Hello

Were not able to do this.