Contents x
    Custom Attributes
    • 06 Jun 2022
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Contents

    Custom Attributes

    • Updated on 06 Jun 2022
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    Overview

    Custom attributes allow you to configure your own attributes of MAC addresses in ISE. These attributes can be used for various use cases like:

    Custom Attributes use cases

    • Identity PreShared Key - Allows you to configure a unique iPSK for each wireless device/client on WPA2 Private wireless network. This feature is great for devices which does not support 802.1X configuration while still maintaning per endpoint security. This feature finds usage in IoT rich environment

    • BYOD Certificates - You can match username or any string of a user's certificate CN against the custom attribute. This is an opposite principle where ISE matches a MAC address in a certificate CN.

    • Switch Lock - Allows you to lock authentication of any MAC address to a particular switch. During a MAC authentication, authorization rules compare a switch name in the authentication request to the value in the Switch Lock custom attribute. This feature is great to improve security of your MAB authenticated devices

    • Certificate match - The certificate used for authentication must contain a certain value, for example, a username. The user will then be only allowed to authenticate on a specific Endpoint

    • Migration - Allows you to easily migrate between two networks based on a presence of a custom attribute, while maintaining same EIG of a MAC address

    • Any other use case Make your own use case and use the custom attributes feature freely

    ISE configuration

    please note, that XTENDISE only helps you to configure custom attributes of your endpoints. You have to also configure your ISE deployment in order to make use of custom attributes.

    Custom Attributes configuration

    Unlike ISE, where all MAC addresses can be configured with any custom attribute, in XTENDISE custom attributes are assigned to each MAC address group separately. This means that you have to map a configured Custom Attribute to each MAC group where you want to use it. If a mapping is configured, the New Endpoint form is extended with a new input field for the custom attribute if MAC address group with the mapping is selected.

    Custom attributes configuration:

    1. Create the required custom attribute in ISE. Navigate to Administration -> Identity Management -> Settings -> Custom Attributes -> Endpoint Custom Attributes
    2. Create the same custom attribute in XTENDISE. Navigate to Administration -> Custom Attributes. Click the + button to add a new Custom Attribute. Fill the name and description and click Save
    3. Then configure the mapping. Select the custom attribute from dropdown menu and check MAC address groups to map the custom attributs. Click Save Mapping button to save the mapping

    image.png

    1. The custom attribute will then be available for configuration in the New Enpoint menu

    image.png

    Warning

    If a custom attribute configuration is deleted from XTENDISE, all MAC addresses containing this attribute will preserve it in the database and won't delete it. However we highly recommend to keep the same Custom Attributes configuration in XTENDISE as it is configured in ISE.

    What's Next