Using AV-Pairs to add a description to a port based on the authe

SHANNON WYATT · ‎05-09-2013

I recently saw a Cisco demo of ISE with a customer and the Cisco SE was setting the port description to the logged in username (dot1x). I can't find any docs on doing this. I did find some old ACS docs that mention using an AV pair and sending aaa:suplicant-name in the result, but that isn't working. I'm trying this on a 3750. and using ISE.

Marcin Latosiewicz · ‎05-10-2013

Shannon,

What version of IOS do you have on 3750 and can we see "debug radius" from there to see what ISE is sending?

M.

jwmolenaar · ‎05-11-2013

Hi Shannon,

Using the command "show aaa attribute" shows an attributed named "rm-port-description" on my switches.

Perphaps you can use this attribute for the requested functionality, but I suspect that it will also depend on your hardware/software version details.

J.W. Molenaar

SHANNON WYATT · ‎05-11-2013

Thanks for the suggestion. A former co-worker, now a Cisco SE told me to do it with a macro and assign the macro with the cisco-av-pair=auto-smart-port=dot1x-port-description (dot1x-port-description is the name I gave it). It isn't getting applied though. Below is the macro:

User defined triggers

---------------------

Trigger Id: dot1x-port-description

Trigger description: dot1x-port-description

Trigger environment:

Trigger mapping function: {

if [[ $LINKUP == YES ]]

then conf t

interface $INTERFACE

macro description $TRIGGER

description suplicant-name

exit

fi

if [[ $LINKUP == NO ]]

then conf t

interface $INTERFACE

no macro description $TRIGGER

description dynamic 802.1X port

exit

fi

}

Halyna · ‎10-05-2017

Hello! Did this configuration work for you? I'd like to add description with username to the running config after 802.1X authentication. But this config permanently adds - "desction supplicant-name", not "description {username}".

Thanks

Using AV-Pairs to add a description to a port based on the authenticated user?