cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
603
Views
5
Helpful
6
Replies
Beginner

ISE 2.3: Operation failed: Validation Errors: Device profile configuration is invalid: No dynamic URL attribute-value pair specified

Cisco ISE 2.3 Question:

I am trying to add a new 3rd Party Network Access Device Profile with its Vendor-Specific RADIUS dictionary. I am able to successfully configure Change Of Authorization (CoA) choices with the Vendor-Specific RADIUS dictionary attributes, but when I get to Redirect choosing Dynamic URL, I am only able to choose RADIUS dictionary attributes (RFC 2865) and not the Vendor-Specific RADIUS dictionary. When I try to manually type in the Vendor-Specific RADIUS dictionary attribute that I want to choose from the pull-down, I get a pop up with the error 

Operation failed:

Validation Errors: Device profile configuration is invalid: No dynamic URL attribute-value pair specified.

Afterwards, I am unable to update/submit the NAD Profile that I am trying create and have to exit without saving any its configuration.

Even if I were include Cisco in the RADIUS Dictionaries, the Redirect Dynamic URL Cisco Dictionary Attributes are not even showing up.

How can I properly configure a new 3rd Party Network Access Device Profile with its Vendor-Specific RADIUS dictionary.

6 REPLIES 6
Rising star

Can you please confirm which

Can you please confirm which build of 2.3 you are using. I am assuming this is an early build?

Beginner

Upgrade bundle for upgrading

Upgrade bundle for upgrading ISE version 2.2 to 2.3. 

ise-upgradebundle-2.3.0.298.SPA.x86_64.tar.gz, date 27-JUL-2017.

https://software.cisco.com/download/release.html?mdfid=283801620&reltype=all&relind=AVAILABLE&dwnld=true&softwareid=283802505&rellifecycle=&atcFlag=N&release=2.1.0&dwldImageGuid=5056B8C5468775757251864BDAD7E3203335A871&flowid=26081

Rising star

I took taken a look at this.

I took taken a look at this. Appears to be a known issue: CSCvc49267 that has existed in previous releases

The workaround is to save the profile without redirect option and edit it again.

Beginner

Thanks, I finally figured

Thanks, I finally figured that out late yesterday evening. However, I'm unable to view the bug CSCvc49267.

The problem I am facing now with the custom Network Device Profile and associating it with the custom Network Access Device is after ISE deems endpoint as Posture Unknown and URL Redirection occurs at the PC, the NAC Agent is not being downloaded automatically to the PC as when I associate the custom NAD with the default Cisco NDP.

I have two wireshark files that I can send you directly as I am unable to attach .pcap files to this post.

Rising star

ISE is working with many

ISE is working with many third part party NADs from different manufacturers. These capabilities are available well before ISE 2.3

I am not able to provide the level of support you are looking. Suggest to raise an SR or work through your account team if this is a POC. Alternatively can reach out on ISE community pages:

https://communities.cisco.com/community/technology/security/pa/ise

There is also a specific area on the communities page on this topic

ISE Third-Party NAD Profiles and Configs

Highlighted
Contributor

Which attribute and what kind

Which attribute and what kind of switch?