Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE External RADIUS proxy remove attributes

Hi all,

I setup external RADIUS for authenticating external users on ISE 1.2  - I need to remove all attributes received from the external RADIUS but I cannot find how to do it.

I checked the option
On Access-Accept, continue to Authorization Policy
in RADIUS server sequense Advanced Attribute settings 

and in Authorization policy I setup proper attributes but I found the attributes from external RADIUS server are in the Access-Acceept response too.

This is RADIUS debug from the switch:
------
Apr 10 09:35:51 CEST: RADIUS: User-Name [1] 17 "xxxxxxxxxxxxx"
Apr 10 09:35:51 CEST: RADIUS: Session-Timeout [27] 6 3600
Apr 10 09:35:51 CEST: RADIUS: Termination-Action [29] 6 1
Apr 10 09:35:51 CEST: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
Apr 10 09:35:51 CEST: RADIUS: Tunnel-Type [64] 6 01:VLAN [13]
Apr 10 09:35:51 CEST: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
Apr 10 09:35:51 CEST: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
Apr 10 09:35:51 CEST: RADIUS: EAP-Message [79] 6
Apr 10 09:35:51 CEST: RADIUS: 03 08 00 04
Apr 10 09:35:51 CEST: RADIUS: Message-Authenticato[80] 18
Apr 10 09:35:51 CEST: RADIUS: BA 8C BC 8D 69 23 2B 7D 8A 70 20 D4 DE 96 0B E2 [ i#+}p ]
Apr 10 09:35:51 CEST: RADIUS: Tunnel-Private-Group[81] 4 "17"
Apr 10 09:35:51 CEST: RADIUS: Tunnel-Private-Group[81] 7 01:"v230"
Apr 10 09:35:51 CEST: RADIUS: Vendor, Cisco [26] 22
Apr 10 09:35:51 CEST: RADIUS: Cisco AVpair [1] 16 ""ssid=eduroam""
Apr 10 09:35:51 CEST: RADIUS: Vendor, Cisco [26] 37
Apr 10 09:35:51 CEST: RADIUS: Cisco AVpair [1] 31 "termination-action-modifier=1"
Apr 10 09:35:51 CEST: RADIUS: Vendor, Microsoft [26] 58
Apr 10 09:35:51 CEST: RADIUS: MS-MPPE-Send-Key [16] 52 *
Apr 10 09:35:51 CEST: RADIUS: Vendor, Microsoft [26] 58
Apr 10 09:35:51 CEST: RADIUS: MS-MPPE-Recv-Key [17] 52 *
-----------------------
As you can see a lot of attributes are twice in the response. I need only "v230" set as VLAN ID

I looked for removing the attributes but "Modify attribute" settings (iether "in the request" or "before access-apccept") offer only subset of RADIUS attributes - I need to remove attribute 81 - Tunnel Network Private Group - but it is not offered there.

Can somebody advice me, how to (idealy) remove all atrributes from external RADIUS or at least remove set of attributes at minimum with attribute 81?

Thank you for any help

277
Views
0
Helpful
0
Replies
CreatePlease to create content