Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
280
Views
0
Helpful
4
Replies

Using Cisco AV-pair value in an authorization rule to match AD Group

Go to solution
pviljoen
Level 1
Level 1

‎06-19-2025 02:49 AM

Within the list of a Remote VPN Radius session attributes, there are a few Cisco:AV-pair entries:

CiscoAVPair

mdm-tlv=device-platform=win,
mdm-tlv=computer-name=V000011111,
mdm-tlv=device-platform-version=10.0.26100 ,
mdm-tlv=ac-user-agent=AnyConnect Windows 5.1.7.80,

The goal is to check if the "mdm-tlv=computer-name=V000011111" value matches or contains to a particular AD Computer-Name OU Group.

Is there a way to create this Cisco:AV-pair value in System Dictionary to use in a authorization rule to match/contains/equal to a Active Directory Computer Group?

 

Thanks

Philip

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to pviljoen

‎07-03-2025 01:43 PM

For cert CPN auth, check out Labminutes SEC0406 and onwards for step by step - as always, Metha does an awesome job.

I think ISE Policy Set has its limitations and you're trying to compare two variables on either side of the MATCHES operator - sadly to my knowledge, you can't do that. I'm still waiting for the LUA language addition to ISE to allow us to do crazy cool things like this. When I did work for a telco many years ago we used Cisco Access Registrar (Cisco's SP RADIUS server) and we could easily code and manipulate RADIUS attributes at various stages of the flow. ISE has a very narrow use case only, and the GUI method is good for most typical enterprise u-secases.  If you look at FreeRadius, you can do a lot of cool crazy stuff too.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎06-19-2025 02:43 PM

Hi @pviljoen 

The cisco-av-pair already exists in the ISE RADIUS Dictionary under Vendor ID 9 (Cisco) and the sub-ID for this AVPair is ID 1.

ArneBier_0-1750368537434.png

This attribute is a String, which means it will accept values such as "mdm-tlv=computer-name=V000011111"

I don't believe you need to create any new dictionary items. And also, all the parameters in a dictionary are static values - there is no run-time assignments or bindings that take place. I think in yet to be released ISE versions, there was talk of adding a scripting language to ISE (LUA) that would allow us to manipulate the inputs and outputs (as done in FreeRADIUS, and Cisco's own carrier grade RADIUS platform Access Registrar) - that opens up almost limitless possibilities.

Not sure what kind of matching you're after, and perhaps you have to create a few of these regular expressions, but you can do this (I just made up some arbitrary matching logic) - the Policy Set Authorization below will run these rules against the currently authenticated endpoint:

ArneBier_2-1750369107492.png

 

 

 

 

0 Helpful

Go to solution
pviljoen
Level 1
Level 1
In response to Arne Bier

‎07-03-2025 01:30 AM

Hi Arne,

Thank you for your effort to assist.

What you show and explain is what I also manage to get working, problem is this is a Telco, so the amount of Computer names can't be match manually/statically - I need to match it to a AD Computer Group.

What I am trying to get right is to match that Hostname/ComputerName inside the Cisco av-pair with the format: attribute_name CiscoSecure-Group-Id  mdm-tlv=computer-name= --> value "V00001111" with a Active Directory group - Computer names. Reason customer do User authentication(MS-Chap-v2) with LDAP(E-Directory) and MFA (NETIQ - TOTP) and F5 setup as Radius Token server - so no other machine/Computer name values get send inside the session to match with the Computer Groups, only user name values.

I was hoping I could enable TEAP on Secure Client using the profile editor tools, the NAM module only support Wired and WiFi on what I can see inside the settings. No Cisco Remote VPN - FTD - Secure Client support to enable it.

Trying also to find a step-by-step guide to enable Certificate + AAA and hopefully do Computer Authentication with certs on the Remote VPN - FTD and then AAA and then link it to a computer group in AD. This document is the closest I get.

Remote Access VPNs for Firepower Threat Defense

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to pviljoen

‎07-03-2025 01:43 PM

For cert CPN auth, check out Labminutes SEC0406 and onwards for step by step - as always, Metha does an awesome job.

I think ISE Policy Set has its limitations and you're trying to compare two variables on either side of the MATCHES operator - sadly to my knowledge, you can't do that. I'm still waiting for the LUA language addition to ISE to allow us to do crazy cool things like this. When I did work for a telco many years ago we used Cisco Access Registrar (Cisco's SP RADIUS server) and we could easily code and manipulate RADIUS attributes at various stages of the flow. ISE has a very narrow use case only, and the GUI method is good for most typical enterprise u-secases.  If you look at FreeRadius, you can do a lot of cool crazy stuff too.

0 Helpful

Go to solution
pviljoen
Level 1
Level 1
In response to Arne Bier

‎07-03-2025 11:40 PM

Thanks for the info, must say Labminutes is also my goto guide and agree Metha does an awesome job!!

 

Thanks for sharing your knowledge, much appreciated.

 

0 Helpful
Customers Also Viewed These Support Documents