Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2069
Views
1
Helpful
5
Replies

Using Endpoint Custom Attribute in Authorization Policies

Go to solution
nved
Cisco Employee
Cisco Employee

‎10-24-2017 06:14 AM

We configuring ISE for MAB authentication using an external MAC Address database that contains a list of MAC Addresses and Endpoint Type (for example Printer, Workstation, HVAC, VOICE). We have created a custom attribute called "CompanyInfo" of the type string, which would be set to Device Type information from the external database.

The value of this custom attribute set to match a IP Phone profile and we defined an authorization policy that compare the Custom Attribute - "CompanyInfo" with "EndPoIntPolicy" as shown below. ISE does not match the first rule defined below.

However, if we compare the "CompanyInfo" with "Cisco-IP-Phone-7970" as shown in the second rule below, we get a match

Machine generated alternative text:Cisco IP Phones Profile Mat Cisco IP Phones Fixed Endpoints:companylnfo MATCHES Endpoints-EndPointPoIicy Endpoints:companylnfo MATCHES Cisco-IP- Phone-7970 then then Non Non Ci sco Ci sco IP Phones IP Phones

I am not sure if the right had side of the condition can utilize and EndPointArrtibute such as EndPointPolicy or EndPointLogicalProfile.

I have attached a screen capture from our lab testing.

Preview file
335 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-24-2017 06:30 AM

Sounds like a bug to me

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-24-2017 06:30 AM

Sounds like a bug to me

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-24-2017 07:26 AM

Which ISE release is this? If not 2.3, please try it with 2.3.


Why are you not using Equals or Contains instead of Matches, although this might not impact your results? The operator Matches is for regex.

For the Cisco IP Phones Profile Match, try swapping RHS and LHS.

Like Jason said, we would suggest to log a bug but please detail the steps and attach debug logs. If TAC case open, please request TAC to do so.

Go to solution
nved
Cisco Employee
Cisco Employee
In response to hslai

‎10-24-2017 08:18 AM

We have are running this on ISE 2.2 patch 4, which was the customer has.

Was it not supposed to work on ISE 2.2?

​​​​​

Niten Ved

732 266 8063 – cell (preffered)

732 393 6101 - office

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to nved

‎10-24-2017 08:27 AM

Endpoint custom attributes are available since ISE 2.1 so supported. The reason I asked to try 2.3 is that release uses a new policy engine and might make a difference.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to hslai

‎10-25-2017 07:01 AM

Niten,

As you know, I provided this proposal to customer which you are now testing on their behalf.  Since I have already engaged with this account and providing direct consult, there is no reason to also post to alias. This will only result in more TMEs and SMEs chasing the same issue.

As I responded directly to account team, the use of Custom Attributes in Authorization Policy conditions IS supported.  Furthermore, we addressed an issue in ISE 2.2 where Custom Attributes were not exposed to Authorization Profile

          CSCvc42525  support of Custom Attribute of Endpoint in Authz Profile

However, the typical scenario would be to match custom attribute (Left-Hand Side, or LHS) to a value (RHS).  Same goes for Endpoint Profile Policy where value is selected on RHS via drop-down list of profiles.   I suspect this particular combination was not tested by QA. 

If not working as expected, then need a bug filed.  Let's not duplicate efforts on this account.

Regards,

Craig

0 Helpful
Customers Also Viewed These Support Documents