Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1942
Views
5
Helpful
6
Replies

ISE 2.3: Operation failed: Validation Errors: Device profile configuration is invalid: No dynamic URL attribute-value pair specified

david.wisnoski
Level 1
Level 1

‎07-29-2017 08:36 AM - edited ‎03-11-2019 12:54 AM

Cisco ISE 2.3 Question:

I am trying to add a new 3rd Party Network Access Device Profile with its Vendor-Specific RADIUS dictionary. I am able to successfully configure Change Of Authorization (CoA) choices with the Vendor-Specific RADIUS dictionary attributes, but when I get to Redirect choosing Dynamic URL, I am only able to choose RADIUS dictionary attributes (RFC 2865) and not the Vendor-Specific RADIUS dictionary. When I try to manually type in the Vendor-Specific RADIUS dictionary attribute that I want to choose from the pull-down, I get a pop up with the error 

Operation failed:

Validation Errors: Device profile configuration is invalid: No dynamic URL attribute-value pair specified.

Afterwards, I am unable to update/submit the NAD Profile that I am trying create and have to exit without saving any its configuration.

Even if I were include Cisco in the RADIUS Dictionaries, the Redirect Dynamic URL Cisco Dictionary Attributes are not even showing up.

How can I properly configure a new 3rd Party Network Access Device Profile with its Vendor-Specific RADIUS dictionary.

Labels:
0 Helpful
6 Replies 6

jrabinow
Level 7
Level 7

‎07-29-2017 11:30 PM

Can you please confirm which build of 2.3 you are using. I am assuming this is an early build?

0 Helpful

david.wisnoski
Level 1
Level 1
In response to jrabinow

‎07-30-2017 08:33 AM

Upgrade bundle for upgrading ISE version 2.2 to 2.3. 

ise-upgradebundle-2.3.0.298.SPA.x86_64.tar.gz, date 27-JUL-2017.

https://software.cisco.com/download/release.html?mdfid=283801620&reltype=all&relind=AVAILABLE&dwnld=true&softwareid=283802505&rellifecycle=&atcFlag=N&release=2.1.0&dwldImageGuid=5056B8C5468775757251864BDAD7E3203335A871&flowid=26081

0 Helpful

jrabinow
Level 7
Level 7
In response to david.wisnoski

‎08-01-2017 08:19 AM

I took taken a look at this. Appears to be a known issue: CSCvc49267 that has existed in previous releases

The workaround is to save the profile without redirect option and edit it again.

david.wisnoski
Level 1
Level 1
In response to jrabinow

‎08-01-2017 09:47 AM

Thanks, I finally figured that out late yesterday evening. However, I'm unable to view the bug CSCvc49267.

The problem I am facing now with the custom Network Device Profile and associating it with the custom Network Access Device is after ISE deems endpoint as Posture Unknown and URL Redirection occurs at the PC, the NAC Agent is not being downloaded automatically to the PC as when I associate the custom NAD with the default Cisco NDP.

I have two wireshark files that I can send you directly as I am unable to attach .pcap files to this post.

0 Helpful

jrabinow
Level 7
Level 7
In response to david.wisnoski

‎08-01-2017 11:04 AM

ISE is working with many third part party NADs from different manufacturers. These capabilities are available well before ISE 2.3

I am not able to provide the level of support you are looking. Suggest to raise an SR or work through your account team if this is a POC. Alternatively can reach out on ISE community pages:

https://communities.cisco.com/community/technology/security/pa/ise

There is also a specific area on the communities page on this topic

ISE Third-Party NAD Profiles and Configs

0 Helpful

Peter Koltl
Level 7
Level 7

‎08-02-2017 11:26 PM

Which attribute and what kind of switch?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents