cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
402
Views
0
Helpful
2
Replies

Issue with ISE AuthZ Policy

stojanr
Level 1
Level 1

We have an issue with ISE selecting the appropriate AuthZ policy based on the device NDG name.  A customer has 200+ locations, with each location having a specific code to specify the geographical location / building / floor. Their business requirement is that only computers appropriate code in their hostname can connect to appropriate locations/switches.

Example:

Location codes: ABC, CDF1, FGH2B

Valid Computer hostnames: WABC12312, PCDF14415, BFGH2B5543

So far, I've created a new Network Device Group hierarchy, containing the location codes, and have attached that to the switches on the specific locations.

 

Authentication of computers is performed via  EAP-TTLS/MSCHAPv2 and that works fine. The issue comes with the AuthZ rules, where I wanted to:

      Computers: check whether the computer name contains the location code (derived from switch's NDG)

So, the problem I'm seeing is that the NDG string that I get when trying to use »Contains« or »Starts with« does not contain the actual 3-5 letter code, but rather the string in the format of »Group name#Category#LocationCode«, which I can of course not use when directly comparing the two strings (computer name). I would really need just the part after the latest '#' sign, but have no clue how to tell ISE that.. Any ideas on how to achieve that? Currently ISE fails the check, and falls back to the AuthZ rule, which only verifies the computer name.

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Network Device Groups (NDG) are hierarchical and the names always include the full path from the root to the leaf and the left-hand-side (LHS) of ISE attribute-to-attribute comparison has to be a full name. As a result, I do not see an option to use NDG. You might try other attributes, such as the description, the model name, or software version, instead. Perhaps, we should also ask an enhancement for custom attributes for network devices.

View solution in original post

2 Replies 2

Arne Bier
VIP
VIP

Interesting challenge.

I don't think it's possible.  This is where having an extensible framework would be handy (i.e. pre- and post- processing scripting points at various stages of the AAA processing).  Or allow more power in the Editor.

If (theoretically) you could flatten your Device Location structure, where every possible location was in the top level of the hierarchy (i.e. no hierarchy), then would this work?  I am not sure whether the string comparison would include all those '#' hashes.  Maybe you have tried this already.

hslai
Cisco Employee
Cisco Employee

Network Device Groups (NDG) are hierarchical and the names always include the full path from the root to the leaf and the left-hand-side (LHS) of ISE attribute-to-attribute comparison has to be a full name. As a result, I do not see an option to use NDG. You might try other attributes, such as the description, the model name, or software version, instead. Perhaps, we should also ask an enhancement for custom attributes for network devices.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: