Using Cisco AV-pair value in an authorization rule to match AD Group

pviljoen · ‎06-19-2025

Within the list of a Remote VPN Radius session attributes, there are a few Cisco:AV-pair entries:

CiscoAVPair

mdm-tlv=device-platform=win,
mdm-tlv=computer-name=V000011111,
mdm-tlv=device-platform-version=10.0.26100 ,
mdm-tlv=ac-user-agent=AnyConnect Windows 5.1.7.80,

The goal is to check if the "mdm-tlv=computer-name=V000011111" value matches or contains to a particular AD Computer-Name OU Group.

Is there a way to create this Cisco:AV-pair value in System Dictionary to use in a authorization rule to match/contains/equal to a Active Directory Computer Group?

Thanks

Philip

Arne Bier · ‎06-19-2025

Hi @pviljoen

The cisco-av-pair already exists in the ISE RADIUS Dictionary under Vendor ID 9 (Cisco) and the sub-ID for this AVPair is ID 1.

This attribute is a String, which means it will accept values such as "mdm-tlv=computer-name=V000011111"

I don't believe you need to create any new dictionary items. And also, all the parameters in a dictionary are static values - there is no run-time assignments or bindings that take place. I think in yet to be released ISE versions, there was talk of adding a scripting language to ISE (LUA) that would allow us to manipulate the inputs and outputs (as done in FreeRADIUS, and Cisco's own carrier grade RADIUS platform Access Registrar) - that opens up almost limitless possibilities.

Not sure what kind of matching you're after, and perhaps you have to create a few of these regular expressions, but you can do this (I just made up some arbitrary matching logic) - the Policy Set Authorization below will run these rules against the currently authenticated endpoint: