ISE AuthZ policy based on FlexConnect Group
Hi all,
I understand that it is possible to have the WLC send different NAS-ID attributes to the CIsco ISE so that I can create specific AuthZ policies based on that NAS-ID attribute.
The only thing is that I cannot see anywhere in the FlexConnect AP Group config that allows me to choose the format for the RADIUS request. I can only see it when adding a RADIUS server in Global Configuration.
So how can I define the attribute that is sent to the ISE?
Thanks
Mario
I don't remember there being a NAS-ID attribute for FlexConnect groups. There is one for AP Group and WLAN.
Similar Messages
-
Cisco ISE auth policy based on Active Directory domain membership
I am currently testing the Cisco ISE product and I am trying to find a way to assign an authorization policy based on domain membership. Our company sorts standard users and project team member into different domains so it seemed like the ideal thing to sort with. Unfortunately, I am no AD expert and there are a mind boggling number of conditions/expressions to choose from. I figured I would be the first person to try this. What have other done to solve this problem?
I have tried using the memberOf attribute and matching to .*(domain).* Basically looking to see if memberOf contains the domain name. It works for machine authentication, but when I log it the system cannot find my account info for some reason and boots me to the guest vlan.
Thank you.Are the two sets of users actually residing on two separate and independent domains? If so then that is probably where your problem is as ISE can only integrate with a single domain. If you have multiple domains then there must be a trust relationship between them. Another solution is to use LDAP integrations as there is not a limit with LDAP integrations.
Thank you for rating! -
ISE Auth policy based on MAC OUI and SSID
I was blocking certain consumer mobile devices from my production WLAN on ACS using this process -
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
The MAC OUI is referenced in the CLI field of the NAR, and the SSID is in the DNIS field.
Anyone know how to do this on ISE? Two questions -
1) I can match based on WLAN-ID, but not SSID. My WLAN-IDs for the same SSID don't match between controllers. Do I need to change this and make sure all WLAN-IDs map to the same SSID on each controller? Or, is there a different attribute I can use that refers to the SSID?
2) What attribute do you use in ISE Authorization conditions to match OUI? And can I match a list of OUIs?1) I have never seen the actual SSID name anywhere in the radius attributes coming from the controller, i always use airespace-wlan-id, and if you wan't to avoid creating multiple rules, make the id's the same on all controllers.
2) Well OUI is part of the mac, so you could maybe use RegEX to filter out specific OUI's. Another way, if you have advanced license, would be to use Profiling, then ISE would do all the hard work of classifying what device is attempting to connect, and you could use that in your authoriz. policy ex . "Profiled:Iphone" -
Using Framed IP Address in ISE AuthZ policy
Hi,
i have an issue when attempting to use the RADIUS-Framed-IP attribute in a User Authorisation policy. Essentially, when I try and map the Radius attribute to the user custom attribute in the AAuthZ profile, it will not let me as the RADIUS Framed IP has a data type of IPv4 and the user attribute i created has a data type of string.
I cannot see the data type of IPv4 available when creating user attributes.
Is there a way around this?
Thanks
MarioWhich version of ISE / patch are you using
The following was fixed in ISE 1.2 patch 3
CSCuj14382 Cannot statically assign IP address as FramedAddress -
AuthZ Policy using specific Endpoint Identity Groups
I am trying to create an AuthZ policy that will identify if a device is in specific Endpoint Identity Group. See policy below.
I used the IdentityGroup:Name attribute Equals the Identity Group MAB_Devices. Please note that there are NO Identity groups listed in the dropdown options, so I typed in the name. Alas, the rule is not working. Anyone have advise on what I am doing wrong? ThxBransomar, your screenshot is an Authentication policy rule but you should do it in Authorization policy. Authentication policy sorts out requests by request method and origin and assigns an identity store to each.
-
ISE Authorization Policy Issues
Hello Team,
I´m getting troubles during my implementation: The User PC never gets IP Address from Access VLAN after AuthZ Policy succeded.
I have two vlans in my implementation:
Vlan ID 802 for Authentication (Subnet 10.2.39.0)
Vlan ID 50 for Access Users (Subnet Y.Y.Y.Y)
When I start my User PC, I get IP for VLAN 802 (10.2.39.3) and After Posture process, ISE inform the switch to put the User PC port in VLAN 50.
Here I have my Switch Port Configuration:
interface GigabitEthernet0/38
switchport access vlan 802
switchport mode access
switchport nonegotiate
switchport voice vlan 120
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 50
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
And Here, I have outputs AuthZ Policy in Action:
Oct 7 09:22:01.574 ANG: %DOT1X-5-SUCCESS: Authentication successful for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct 7 09:22:01.582 ANG: %AUTHMGR-5-VLANASSIGN: VLAN 50 assigned to Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct 7 09:22:01.591 ANG: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT APPLY
Oct 7 09:22:01.591 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-REQUEST
Oct 7 09:22:01.633 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-SUCCESS
Oct 7 09:22:01.633 ANG: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-WAIT
SWISNGAC8FL02#
Oct 7 09:22:02.069 ANG: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
SWISNGAC8FL02#
Oct 7 09:22:02.731 ANG: %EPM-6-IPEVENT: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
Oct 7 09:22:02.731 ANG: %EPM-6-POLICY_APP_SUCCESS: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| RESULT SUCCESS
After that, I have:
SWISNGAC8FL02#sh auth sess int g0/38
Interface: GigabitEthernet0/38
MAC Address: 0022.1910.4130
IP Address: 10.2.39.3
User-Name: SNL\enzo.belo
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 50
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A022047000000F6126E9B17
Acct Session ID: 0x000001A7
Handle: 0x710000F7
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
Apparently, everything is OK, but NOT. The User PC never gets IP Address from Access VLAN 50.
If I do SWISNGAC8FL02#sh mac address-table | inc 0022.1910.4130
50 0022.1910.4130 STATIC Gi0/38
802 0022.1910.4130 STATIC Gi0/38
And
SWISNGAC8FL02#sh epm session summary
EPM Session Information
Total sessions seen so far : 17
Total active sessions : 1
Interface IP Address MAC Address VLAN Audit Session Id:
GigabitEthernet0/38 10.2.39.3 0022.1910.4130 802 0A022047000000F6126E9B17
My Switch is a Cisco IOS Software, C3560E Software (C3560E-IPBASEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)
I am using ISE Version 1.2.1.198 Patch Info 2
Could you help me in this Case ?
Best Regards,
Daniel StefaniIt seems like the PC is operating in the VOICE-domain according to the cmd auth sess int you showed. Do you think that has something to do with your problem? I've experienced some PC's having problem with that.
If you could, try getting the PC to operate in the DATA-domain by not sending the voice-attribute from ISE after the authorization. -
Authorization based on AP group
Hi,
I am running WLC 7.4.100 and ISE 1.2. With Flexconnect APs.
In ISE I have a condition that say "Radius: Called-Station-ID CONTAINS ssid" in a Policy Set. This works fine and in ISE I can see the attribute on the devices:
Called-Station-ID
7c-95-f3-73-f4-e0:ssid
Now I will have several branch offices with the same SSID but different VLANs. So I want to change so the called-station-ID can be a AP group insted. But I can't seem to figure out how to change this so the WLC sends the AP group as Called-station-ID.
In the WLC under Security - RADIUS - Authentication the "Call Station ID Type" is set to "IP address". (This is strange to me since the attribute in ISE is "AP MAC address: SSID".)
Is Call Station ID different from Called Station ID?
Where do I change the Called Station ID in WLC?
Regards,
PhilipI can't upgrade the WLC, it is a live environment with production 24/7. It will take me a month to get a maintenance window.
I ran some debuggin and I can see this:
*aaaQueueReader: Jan 30 08:23:10.558: AuthenticationRequest: 0x2b547afc
*aaaQueueReader: Jan 30 08:23:10.558: Callback.....................................0x11593a70
*aaaQueueReader: Jan 30 08:23:10.558: protocolType.................................0x00140001
*aaaQueueReader: Jan 30 08:23:10.558: proxyState...................................08:11:96:F1:7A:CC-19:02
*aaaQueueReader: Jan 30 08:23:10.558: Packet contains 14 AVPs (not shown)
<output omitted>
*aaaQueueReader: Jan 30 08:23:10.558: 00000040: 1e 1d 35 30 2d 31 37 2d 66 66 2d 65 35 2d 32 62 ..50-17-ff-e5-2b
*aaaQueueReader: Jan 30 08:23:10.558: 00000050: 2d 65 30 3a 61 78 2d 73 65 63 75 72 65 05 06 00 -e0:ssid...
<output omitted>
*aaaQueueReader: Jan 30 08:23:10.653: AccountingMessage Accounting Interim: 0x2b6190e0
*aaaQueueReader: Jan 30 08:23:10.653: Packet contains 24 AVPs:
*aaaQueueReader: Jan 30 08:23:10.653: AVP[23] Called-Station-Id........................AP_grupp(17 bytes)
So the WLC sends MAC:SSID with the authentication packets but AP GROUP with the accounting packet. This is not good since I want to use AP group in authentication. Is there any way to fix this? -
ISE AuthZ for Wireless Phones MIC EAP-TLS
Hi all,
Trying to authorise 7925G phones using MIC and EAP-TLS. My problem is that I can't seem to get the username in the MIC to match against an Internal Identity group on ISE AuthZ policies. If I remove the endpoint ID group I am able to auth no worries. Everything looks great including the username been in a specific User ID group but I just cannot get it to match a policy with this group selected (both as the ID Group and as an "Internal User:Identity Group" condition).
Any ideas or is this just not possible?Out of curiousity why would you suggest MAB in this instance? These devices have MIC certs and are pretty much EAP-TLS ready out of the box? My problem simply lies with the apparent inability of ISE to match the Subject CN againt an internal group.
-
ACS 5.3 Group Mapping based on AD group membership
Hi,
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
Thank you,
SamiOk, my case is like this.
I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
I have a case with Cisco engineer now and still in the middle to sort things out.
The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
Wondering whether there is a fix for this.
Thanks. -
ISE 1.2 Multi-Portal Identity Group Mapping
Hi,
Quick question regarding the use of Multi-Portal on ISE 1.2: Is it possible to map a single portal to a certain identity group? e.g. I have a portal for guest users, to which only users in the "ACME_guests" identity group can authenticate. I have a separate Portal for employees, where only users of the "ACME_employees" group can authenticate.
I know that I can specify a separate authentication sequence for each portal (e.g. internal, guests, AD), but I cant find a possibility to map a group to a certain portal. This has the consequence that e.g. guest users can log into the employee portal, and getting a successful authentication message. Of course I can further restrict the access in another policy rule, but this isnt a very neat solution.
Anybody have any ideas? It seems so basic that it has to be possible somehow?!
RegardsYou can redirect users so they can "stick" to one portal once they have successfully authenticated. There is a document regarding device registration web authentication. Basically after a user connects successfully you can redirect them to an AUP specially designed to statically assign users to a specific endpoint identity group.
In the end if a user logs into portal A they hit the DRW and accept, ISE dumps them into a endpoint group called PortalA, you can then tie this into a policy where the PortalA endpoint is denied association to any other open ssid you have in your design.
Here is the document -
https://supportforums.cisco.com/docs/DOC-26667
Tarik Admani
*Please rate helpful posts* -
ISE Authentication Policy for RSA Securid and LDAP for VPN
We are working on replacing our existing ACS server with ISE. We have 2 groups of users, customers and employees. The employee's utilize RSA securid for authentication while the customers use Window authentication. We have integrated the AD into ISE using LDAP and this has been tested. We are now working on trying to get the rsa portion to work. We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
Here is my question:
Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users. I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment. With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA. The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy. The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues. Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl.
Thanks,
JoeThat is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks. -
AuthZ Policy "Monitor Only" mode
I have a question about the AuthZ Policy “Monitor Only” or "Audit" mode. I want to test a new AuthZ policy by using “Monitor Only” mode, but I am not seeing any indication that my Test device is hitting the rule while in Monitor only mode… It ends up hitting our last default rule which is currently permit any. If I actually enable the rule, I can see the device hitting the rule and getting denied in the Authentication log window.
So I know the rule works, but I want to only monitor the rule for now to see what would get denied, so that we can assess how we want to handle auth for said devices. According some info I found, I should be seeing an indication in the Auth log window that a rule was matched, if it is Monitor only mode.
I am currently running ISE 1.3.0.876.
Any help is appreciatedI have had the same experience. If you look at the AuthZ details for the connection, you will see under Other Attributes a special attribute returned named "RadiusAuthorizationPolicyMatchedMonitorRules," but as far as I know there is no way to run a report on it. Maybe someone else has a suggestion on it.
What I do as a workaround is create a rule matching the conditions and create a special Authorization Profile for the rule that just has ACCESS_ACCEPT (not to break any traffic), then run a RADIUS Authentication report matching that Authorization Profile. -
Policy based routing on VRF interfaces to route traffic through TE Tunnel
Hi All,
Is there a method to do policy based routing on VRF interfaces and route data traffic through one TE tunnel and non-data traffic through another TE tunnel.
The tunnel is already build up with these below config
interface Tunnel25
ip unnumbered Loopback0
tunnel destination 10.250.16.250
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng path-option 10 explicit name test
ip explicit-path name test enable
next-address x.x.x.x
next-address y.y.y.y
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
mpls traffic-eng tunnels
nterface GigabitEthernet5/2
mpls traffic-eng tunnels
mpls ip
Is there additional config needed to work ,also in the destination end for the return traffic,we want to use the normal PATH --I mean non TE tunnel.
We tested with the above scenario,but couldn't able to reach the destination.Meantime we had a question,when the packet uses the policy map while ingress,it may not know the associatuion with VRF(Is that right? --If so ,how to make it happen)
Any help would be really appreciated
Thanks
Regards
Anantha Subramanian Natarajanhi Anantha!
I might not be the right person to comment on your first question. I have not configured MVPNs yet and not very confertable with the topic.
But I am sure that if you read through the CBTS doc thoroughly, you might be able to derive the answer yourself. One thing I notice is that " a Tunnel will be selected regularly according to the routing process (even isf it is cbts enabled). From the tunnels selected using the regular best path selection, the traffic is mapped to a perticular tunnel in the group if specific class is mapped to that tunnel.
So a master tunnel can be the only tunnel between the 2 devices over which the routing (bgp next hops) are exchanged and all other tunnels can be members of this tunnel. So your RPF might not fail.
You might have to explore on this a bit more and read about the co-existance of multicast and TE. This will be the same as that.
For your second question, the answer would be easy :
If you want a specific eompls cust to take a particular tunnel/path, just create a seperate pair of loopbacks on the PEs. Make the loopback learnt on the remote PE through the tunnel/path that you want the eompls to take. Then establish the xconnect with this loopback. I am assuming that your question is that a particular eompls session should take a particular path.
If you meant that certain traffic from the same eompls session take a different path/tunnel, then CBTS will work.
Regards,
Niranjan -
Policy Based Routing with VPN Client configuration
Hi to all,
We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
This is our sanitized config
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group dc
key ***
dns 192.168.5.7
domain corp.local
pool SDM_POOL_1
acl 101
max-users 3
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group dc
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
interface Loopback0
ip address 10.10.10.1 255.255.255.0
interface FastEthernet0/0
description *WAN*
no ip address
ip mtu 1396
duplex auto
speed auto
interface FastEthernet0/0.3
description FAST-WAN-11D-11U
encapsulation dot1Q 3
ip address 88.XX.XX.75 255.255.255.248
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
interface FastEthernet0/0.4
description SLOW-WAN-10D-1U
encapsulation dot1Q 4
ip address dhcp
ip nat outside
ip virtual-reassembly
no cdp enable
interface FastEthernet0/1
description *LOCAL*
no ip address
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1.10
description VLAN 10 192-168-5-0
encapsulation dot1Q 10
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly max-reassemblies 32
no cdp enable
interface FastEthernet0/1.20
description VLAN 20 10-10-0-0
encapsulation dot1Q 20
ip address 10.10.0.254 255.255.255.0
ip access-group PERMIT-MNG out
ip nat inside
ip virtual-reassembly
!!! NOTE: This route map is used to PBR the http traffic for our server
ip policy route-map REDIRECT-VIA-FAST-WAN
no cdp enable
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Virtual-Template3
no ip address
interface Virtual-Template4
no ip address
ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
ip forward-protocol nd
!!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
!!! FAST-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
ip access-list extended FAST-WAN-NAT
permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit icmp 192.168.5.0 0.0.0.255 any
permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit icmp 10.10.0.0 0.0.0.255 any
ip access-list extended REDIRECT-VIA-FAST-WAN
deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
ip access-list extended SLOW-WAN-NAT
permit ip 192.168.5.0 0.0.0.255 any
permit ip 10.10.0.0 0.0.0.255 any
route-map FAST-WAN-NAT-RMAP permit 10
match ip address FAST-WAN-NAT
match interface FastEthernet0/0.3
route-map REDIRECT-VIA-FAST-WAN permit 10
match ip address REDIRECT-VIA-FAST-WAN
set ip next-hop 88.XX.XX.73
route-map SLOW-WAN-NAT-RMAP permit 10
match ip address SLOW-WAN-NAT
match interface FastEthernet0/0.4Can you try to use PBR Match track object,
Device(config)# route-map abc
Device(config-route-map)# match track 2
Device(config-route-map)# end
Device# show route-map abc
route-map abc, permit, sequence 10
Match clauses:
track-object 2
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Additional References for PBR Match Track Object
This feature is a part of IOS-XE release 3.13 and later.
PBR Match Track Object
Cisco IOS XE Release 3.13S
The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
The following commands were introduced or modified: match track tracked-obj-number
Cheers,
Sumit -
I need help with OAM 11g AuthZ policy.
Looking at the authorization policy, I can set it for IPAddress range, User Identity and time based.
I want to create a policy that checks for an attibute to see if its set or not and based on that allow or deny. How do I do that?I would look at Constraints on the AuthZ side.
Other than that, you could merely return a header variable for the attribute you want to toggle.
Maybe you are looking for
-
en System.Data.SqlClient.SqlConnection.OnError(SqlException exception, TdsParserState state) en System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, TdsParserState state) en System.Data.SqlClient.TdsParser.ThrowExceptionAndWarn
-
Changing text color of a string
im looking to change the color of some text within a datagrid. After searching I have found tons on item renderers and cannot figure out exactly how to make it work with what I need. I have a datagrid with a label function that looks something like t
-
Best way to create a speech bubble effect?
Hi there, I'm currently writing a simple game using java 2D, on screen i would like to show some text surrounded by a speech bubble which will be used to show what a character is saying. I need the text to be scrollable as there might be alot of it a
-
Delay time for Cancel query dialog
Hi Folks. I have a form where the property Interaction Mode is set to NONBLOCKING. When a slow query is initiated, the cancel query dialog is displayed after approx. 5 secs. Can anyone tell me if it's possible to alter the delay time before this dial
-
Australian Nationalities in Infotype 0002
Does anyone know what the definition is of the following Nationalities for Australia? Is this a requirement for reporting in Australia? (from Infotype 0002)? Thanks. Australian AU, Australian CC, Australian CX,