10-24-2017 06:14 AM
We configuring ISE for MAB authentication using an external MAC Address database that contains a list of MAC Addresses and Endpoint Type (for example Printer, Workstation, HVAC, VOICE). We have created a custom attribute called "CompanyInfo" of the type string, which would be set to Device Type information from the external database.
The value of this custom attribute set to match a IP Phone profile and we defined an authorization policy that compare the Custom Attribute - "CompanyInfo" with "EndPoIntPolicy" as shown below. ISE does not match the first rule defined below.
However, if we compare the "CompanyInfo" with "Cisco-IP-Phone-7970" as shown in the second rule below, we get a match
I am not sure if the right had side of the condition can utilize and EndPointArrtibute such as EndPointPolicy or EndPointLogicalProfile.
I have attached a screen capture from our lab testing.
Solved! Go to Solution.
10-24-2017 06:30 AM
Sounds like a bug to me
10-24-2017 06:30 AM
Sounds like a bug to me
10-24-2017 07:26 AM
Which ISE release is this? If not 2.3, please try it with 2.3.
Why are you not using Equals or Contains instead of Matches, although this might not impact your results? The operator Matches is for regex.
For the Cisco IP Phones Profile Match, try swapping RHS and LHS.
Like Jason said, we would suggest to log a bug but please detail the steps and attach debug logs. If TAC case open, please request TAC to do so.
10-24-2017 08:18 AM
We have are running this on ISE 2.2 patch 4, which was the customer has.
Was it not supposed to work on ISE 2.2?
Niten Ved
732 266 8063 – cell (preffered)
732 393 6101 - office
10-24-2017 08:27 AM
Endpoint custom attributes are available since ISE 2.1 so supported. The reason I asked to try 2.3 is that release uses a new policy engine and might make a difference.
10-25-2017 07:01 AM
Niten,
As you know, I provided this proposal to customer which you are now testing on their behalf. Since I have already engaged with this account and providing direct consult, there is no reason to also post to alias. This will only result in more TMEs and SMEs chasing the same issue.
As I responded directly to account team, the use of Custom Attributes in Authorization Policy conditions IS supported. Furthermore, we addressed an issue in ISE 2.2 where Custom Attributes were not exposed to Authorization Profile
CSCvc42525 support of Custom Attribute of Endpoint in Authz Profile
However, the typical scenario would be to match custom attribute (Left-Hand Side, or LHS) to a value (RHS). Same goes for Endpoint Profile Policy where value is selected on RHS via drop-down list of profiles. I suspect this particular combination was not tested by QA.
If not working as expected, then need a bug filed. Let's not duplicate efforts on this account.
Regards,
Craig
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide