Solved: Re: Using an AVpair value in an authorization rule

jpujol · ‎12-07-2016

Hi,

Within the list of a VPN session attributes, there are a few CiscoAVpair entries :

CiscoAVPair

mdm-tlv=device-platform=win,

mdm-tlv=device-mac=f0-d5-bf-23-97-04,

mdm-tlv=device-type=LENOVO 20FCS0NC1Q,

mdm-tlv=device-platform-version=10.0.10586 ,

mdm-tlv=ac-user-agent=AnyConnect Windows 4.3.03086,

mdm-tlv=device-uid=F5600BB8D654D66A726EB3C336965CED8A3EC152C8C6452FD07242C0CD589BB3,

The goal is to check if the "device-uid" or "device-mac" value belongs to a particular AD OU.

Is there a way to extract that string and play with that as a parameter in the authorization rule ?

thanks,

jean-francois

gbekmezi-DD · ‎12-07-2016

I don’t think you can parse the attributes as individual fields. However, maybe you can do something like this:

View solution in original post

gbekmezi-DD · ‎12-07-2016

We have used cisco:cisco-av-pair successfully to access these attributes in an AuthZ rule in the past.

jpujol · ‎12-07-2016

How do you select the attribute value ? using Cisco:cisco-av-pair gives the full "mdm-tlv=device-uid=F56.....blahbla" string. Any option to parse / remove a part of the string ?

thanks,

jean-francois

gbekmezi-DD · ‎12-07-2016

I don’t think you can parse the attributes as individual fields. However, maybe you can do something like this:

rhobab · ‎01-21-2019

Hello,

Anyway of doing this but doing a database dip? Our scenario is also using the uid in the Cisco-av-pair but the number of endpoints is enormous making the conditions hard to handle. We would like to insert the uids into a database and query the database at time of authorization. Is there a way to do this?

Thanks in advance.

Sylvia · ‎06-22-2020

Hello @rhobab

I have the exact scenario. Were you able to add the UIDs into a database and reference it in an authorization policy?

Regards,

rhobab · ‎06-22-2020

Hello

Were not able to do this.