ISE AuthZ policy based on FlexConnect Group

Hi all,
I understand that it is possible to have the WLC send different NAS-ID attributes to the CIsco ISE so that I can create specific AuthZ policies based on that NAS-ID attribute.
The only thing is that I cannot see anywhere in the FlexConnect AP Group config that allows me to choose the format for the RADIUS request. I can only see it when adding a RADIUS server in Global Configuration.
So how can I define the attribute that is sent to the ISE?
Thanks
Mario

I don't remember there being a NAS-ID attribute for FlexConnect groups. There is one for AP Group and WLAN.

Similar Messages

  • Cisco ISE auth policy based on Active Directory domain membership

    I am currently testing the Cisco ISE product and I am trying to find a way to assign an authorization policy based on domain membership.  Our company sorts standard users and project team member into different domains so it seemed like the ideal thing to sort with.  Unfortunately, I am no AD expert and there are a mind boggling number of conditions/expressions to choose from.  I figured I would be the first person to try this.  What have other done to solve this problem?
    I have tried using the memberOf attribute and matching to .*(domain).*  Basically looking to see if memberOf contains the domain name.  It works for machine authentication, but when I log it the system cannot find my account info for some reason and boots me to the guest vlan.
    Thank you.

    Are the two sets of users actually residing on two separate and independent domains? If so then that is probably where your problem is as ISE can only integrate with a single domain. If you have multiple domains then there must be a trust relationship between them. Another solution is to use LDAP integrations as there is not a limit with LDAP integrations.
    Thank you for rating!

  • ISE Auth policy based on MAC OUI and SSID

    I was blocking certain consumer mobile devices from my production WLAN on ACS using this process -
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
    The MAC OUI is referenced in the CLI field of the NAR, and the SSID is in the DNIS field.
    Anyone know how to do this on ISE?  Two questions -
    1) I can match based on WLAN-ID, but not SSID.  My WLAN-IDs for the same SSID don't match between controllers.  Do I need to change this and make sure all WLAN-IDs map to the same SSID on each controller?  Or, is there a different attribute I can use that refers to the SSID?
    2) What attribute do you use in ISE Authorization conditions to match OUI?  And can I match a list of OUIs?

    1) I have never seen the actual SSID name anywhere in the radius attributes coming from the controller, i always use airespace-wlan-id, and if you wan't to avoid creating multiple rules, make the id's the same on all controllers.
    2) Well OUI is part of the mac, so you could maybe use RegEX to filter out specific OUI's. Another way, if you have advanced license, would be to use Profiling, then ISE would do all the hard work of classifying what device is attempting to connect, and you could use that in your authoriz. policy ex . "Profiled:Iphone"

  • Using Framed IP Address in ISE AuthZ policy

    Hi,
    i have an issue when attempting to use the RADIUS-Framed-IP attribute in a User Authorisation policy. Essentially, when I try and map the Radius attribute to the user custom attribute in the AAuthZ profile, it will not let me as the RADIUS Framed IP has a data type of IPv4 and the user attribute i created has a data type of string.
    I cannot see the data type of IPv4 available when creating user attributes.
    Is there a way around this?
    Thanks
    Mario

    Which version of ISE / patch are you using
    The following was fixed in ISE 1.2 patch 3
    CSCuj14382 Cannot statically assign IP address as FramedAddress

  • AuthZ Policy using specific Endpoint Identity Groups

    I am trying to create an AuthZ policy that will identify if a device is in specific Endpoint Identity Group.  See policy below.
    I used the IdentityGroup:Name attribute Equals the Identity Group MAB_Devices.  Please note that there are NO Identity groups listed in the dropdown options, so I typed in the name.   Alas, the rule is not working.   Anyone have advise on what I am doing wrong?  Thx

    Bransomar, your screenshot is an Authentication policy rule but you should do it in Authorization policy. Authentication policy sorts out requests by request method and origin and assigns an identity store to each.

  • ISE Authorization Policy Issues

    Hello Team,
    I´m getting troubles during my implementation: The User PC never gets IP Address from Access VLAN after AuthZ Policy succeded.
    I have two vlans in my implementation:
    Vlan ID 802 for Authentication (Subnet 10.2.39.0)
    Vlan ID 50 for Access Users (Subnet Y.Y.Y.Y)
    When I start my User PC, I get IP for VLAN 802 (10.2.39.3) and After Posture process, ISE inform the switch to put the User PC port in VLAN 50.
    Here I have my Switch Port Configuration:
    interface GigabitEthernet0/38
     switchport access vlan 802
     switchport mode access
     switchport nonegotiate
     switchport voice vlan 120
     ip access-group ACL-DEFAULT in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 50
     authentication event server dead action authorize voice
     authentication host-mode multi-auth
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    end
    And Here, I have outputs AuthZ Policy in Action:
    Oct  7 09:22:01.574 ANG: %DOT1X-5-SUCCESS: Authentication successful for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
    Oct  7 09:22:01.582 ANG: %AUTHMGR-5-VLANASSIGN: VLAN 50 assigned to Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
    Oct  7 09:22:01.591 ANG: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT APPLY
    Oct  7 09:22:01.591 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-REQUEST
    Oct  7 09:22:01.633 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-SUCCESS
    Oct  7 09:22:01.633 ANG: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-WAIT
    SWISNGAC8FL02#
    Oct  7 09:22:02.069 ANG: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
    SWISNGAC8FL02#
    Oct  7 09:22:02.731 ANG: %EPM-6-IPEVENT: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
    Oct  7 09:22:02.731 ANG: %EPM-6-POLICY_APP_SUCCESS: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| RESULT SUCCESS
    After that, I have:
    SWISNGAC8FL02#sh auth sess int g0/38 
                Interface:  GigabitEthernet0/38
              MAC Address:  0022.1910.4130
               IP Address:  10.2.39.3
                User-Name:  SNL\enzo.belo
                   Status:  Authz Success
                   Domain:  VOICE
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  50
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A022047000000F6126E9B17
          Acct Session ID:  0x000001A7
                   Handle:  0x710000F7
    Runnable methods list:
           Method   State
           dot1x    Authc Success
           mab      Not run
    Apparently, everything is OK, but NOT. The User PC never gets IP Address from Access VLAN 50.
    If I do  SWISNGAC8FL02#sh mac address-table | inc 0022.1910.4130
      50    0022.1910.4130    STATIC      Gi0/38 
     802    0022.1910.4130    STATIC      Gi0/38 
    And
    SWISNGAC8FL02#sh epm session summary 
    EPM Session Information
    Total sessions seen so far : 17
    Total active sessions      : 1
    Interface                       IP Address        MAC Address     VLAN   Audit Session Id:
    GigabitEthernet0/38     10.2.39.3         0022.1910.4130    802     0A022047000000F6126E9B17
    My Switch is a Cisco IOS Software, C3560E Software (C3560E-IPBASEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)
    I am using ISE Version 1.2.1.198 Patch Info 2
    Could you help me in this Case ?
    Best Regards,
    Daniel Stefani

    It seems like the PC is operating in the VOICE-domain according to the cmd auth sess int you showed. Do you think that has something to do with your problem? I've experienced some PC's having problem with that.
    If you could, try getting the PC to operate in the DATA-domain by not sending the voice-attribute from ISE after the authorization.

  • Authorization based on AP group

    Hi,
    I am running WLC 7.4.100 and ISE 1.2. With Flexconnect APs.
    In ISE I have a condition that say "Radius: Called-Station-ID CONTAINS ssid" in a Policy Set. This works fine and in ISE I can see the attribute on the devices:
    Called-Station-ID
    7c-95-f3-73-f4-e0:ssid
    Now I will have several branch offices with the same SSID but different VLANs. So I want to change so the called-station-ID can be a AP group insted. But I can't seem to figure out how to change this so the WLC sends the AP group as Called-station-ID.
    In the WLC under Security - RADIUS - Authentication the "Call Station ID Type" is set to "IP address". (This is strange to me since the attribute in ISE is "AP MAC address: SSID".)
    Is Call Station ID different from Called Station ID?
    Where do I change the Called Station ID in WLC?
    Regards,
    Philip

    I can't upgrade the WLC, it is a live environment with production 24/7. It will take me a month to get a maintenance window.
    I ran some debuggin and I can see this:
    *aaaQueueReader: Jan 30 08:23:10.558: AuthenticationRequest: 0x2b547afc
    *aaaQueueReader: Jan 30 08:23:10.558:  Callback.....................................0x11593a70
    *aaaQueueReader: Jan 30 08:23:10.558:  protocolType.................................0x00140001
    *aaaQueueReader: Jan 30 08:23:10.558:  proxyState...................................08:11:96:F1:7A:CC-19:02
    *aaaQueueReader: Jan 30 08:23:10.558:  Packet contains 14 AVPs (not shown)
    <output omitted>
    *aaaQueueReader: Jan 30 08:23:10.558: 00000040: 1e 1d 35 30 2d 31 37 2d  66 66 2d 65 35 2d 32 62  ..50-17-ff-e5-2b
    *aaaQueueReader: Jan 30 08:23:10.558: 00000050: 2d 65 30 3a 61 78 2d 73  65 63 75 72 65 05 06 00  -e0:ssid...
    <output omitted>
    *aaaQueueReader: Jan 30 08:23:10.653: AccountingMessage Accounting Interim: 0x2b6190e0
    *aaaQueueReader: Jan 30 08:23:10.653:  Packet contains 24 AVPs:
    *aaaQueueReader: Jan 30 08:23:10.653:      AVP[23] Called-Station-Id........................AP_grupp(17 bytes)
    So the WLC sends MAC:SSID with the authentication packets but AP GROUP with the accounting packet. This is not good since I want to use AP group in authentication. Is there any way to fix this?

  • ISE AuthZ for Wireless Phones MIC EAP-TLS

    Hi all,
    Trying to authorise 7925G phones using MIC and EAP-TLS. My problem is that I can't seem to get the username in the MIC to match against an Internal Identity group on ISE AuthZ policies. If I remove the endpoint ID group I am able to auth no worries. Everything looks great including the username been in a specific User ID group but I just cannot get it to match a policy with this group selected (both as the ID Group and as an "Internal User:Identity Group" condition).
    Any ideas or is this just not possible?

    Out of curiousity why would you suggest MAB in this instance? These devices have MIC certs and are pretty much EAP-TLS ready out of the box? My problem simply lies with the apparent inability of ISE to match the Subject CN againt an internal group.

  • ACS 5.3 Group Mapping based on AD group membership

    Hi,
    I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
    What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
    It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
    I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
    Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
    Thank you,
    Sami

    Ok, my case is like this.
    I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
    I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
    In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
    Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
    I have a case with Cisco engineer now and still in the middle to sort things out.
    The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
    Wondering whether there is a fix for this.
    Thanks.

  • ISE 1.2 Multi-Portal Identity Group Mapping

    Hi,
    Quick question regarding the use of Multi-Portal on ISE 1.2: Is it possible to map a single portal to a certain identity group? e.g. I have a portal for guest users, to which only users in the "ACME_guests" identity group can authenticate. I have a separate Portal for employees, where only users of the "ACME_employees" group can authenticate.
    I know that I can specify a separate authentication sequence for each portal (e.g. internal, guests, AD), but I cant find a possibility to map a group to a certain portal. This has the consequence that e.g. guest users can log into the employee portal, and getting a successful authentication message. Of course I can further restrict the access in another policy rule, but this isnt a very neat solution.
    Anybody have any ideas? It seems so basic that it has to be possible somehow?!
    Regards

    You can redirect users so they can "stick" to one portal once they have successfully authenticated. There is a document regarding device registration web authentication. Basically after a user connects successfully you can redirect them to an AUP specially designed to statically assign users to a specific endpoint identity group.
    In the end if a user logs into portal A they hit the DRW and accept, ISE dumps them into a endpoint group called PortalA, you can then tie this into a policy where the PortalA endpoint is denied association to any other open ssid you have in your design.
    Here is the document -
    https://supportforums.cisco.com/docs/DOC-26667
    Tarik Admani
    *Please rate helpful posts*

  • ISE Authentication Policy for RSA Securid and LDAP for VPN

    We are working on replacing our existing ACS server with ISE.  We have 2 groups of users, customers and employees.  The employee's utilize RSA securid for authentication while the customers use Window authentication.  We have integrated the AD into ISE using LDAP and this has been tested.  We are now working on trying to get the rsa portion to work.  We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
    Here is my question:
    Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users.  I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment.  With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA.  The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy.  The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues.  Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl. 
    Thanks,
    Joe

    That is not what I want. I want user "test1" to be able to do this:
    C
    Username: test1
    Enter PASSCODE:
    C2960>en
    Enter PASSCODE:
    C2960#
    In other words, test1 user has to type in his/her RSA token password to get
    into exec mode. After that, he/she has to use the RSA token password to
    get into enable mode. Each user can get into "enable" mode with his/her
    RSA token mode.
    The way you descripbed, it seemed like anyone in this group can go directly
    into enable mode without password. This is not what I have in mind.
    Any other ideas? Thanks.

  • AuthZ Policy "Monitor Only" mode

    I have a question about the AuthZ Policy “Monitor Only” or "Audit" mode.  I want to test a new AuthZ policy by using “Monitor Only” mode, but I am not seeing any indication that my Test device is hitting the rule while in Monitor only mode… It ends up hitting our last default rule which is currently permit any.  If I actually enable the rule, I can see the device hitting the rule and getting denied in the Authentication log window.
    So I know the rule works, but I want to only monitor the rule for now to see what would get denied, so that we can assess how we want to handle auth for said devices.  According some info I found, I should be seeing an indication in the Auth log window that a rule was matched, if it is Monitor only mode.
    I am currently running ISE 1.3.0.876.
    Any help is appreciated

    I have had the same experience.  If you look at the AuthZ details for the connection, you will see under Other Attributes a special attribute returned named "RadiusAuthorizationPolicyMatchedMonitorRules," but as far as I know there is no way to run a report on it. Maybe someone else has a suggestion on it.
    What I do as a workaround is create a rule matching the conditions and create a special Authorization Profile for the rule that just has ACCESS_ACCEPT (not to break any traffic), then run a RADIUS Authentication report matching that Authorization Profile.

  • Policy based routing on VRF interfaces to route traffic through TE Tunnel

    Hi All,
    Is there a method to do policy based routing on VRF interfaces and route data traffic through one TE tunnel and non-data traffic through another TE tunnel.
    The tunnel is already build up with these below config
    interface Tunnel25
    ip unnumbered Loopback0
    tunnel destination 10.250.16.250
    tunnel mode mpls traffic-eng
    tunnel mpls traffic-eng path-option 10 explicit name test
    ip explicit-path name test enable
    next-address x.x.x.x
    next-address y.y.y.y
    router ospf 1
    mpls traffic-eng router-id Loopback0
    mpls traffic-eng area 0
    mpls traffic-eng tunnels
    nterface GigabitEthernet5/2
    mpls traffic-eng tunnels
    mpls ip
    Is there additional config needed to work ,also in the destination end for the return traffic,we want to use the normal PATH --I mean non TE tunnel.
    We tested with the above scenario,but couldn't able to reach the destination.Meantime we had a question,when the packet uses the policy map while ingress,it may not know the associatuion with VRF(Is that right? --If so ,how to make it happen)
    Any help would be really appreciated
    Thanks
    Regards
    Anantha Subramanian Natarajan

    hi Anantha!
    I might not be the right person to comment on your first question. I have not configured MVPNs yet and not very confertable with the topic.
    But I am sure that if you read through the CBTS doc thoroughly, you might be able to derive the answer yourself. One thing I notice is that " a Tunnel will be selected regularly according to the routing process (even isf it is cbts enabled). From the tunnels selected using the regular best path selection, the traffic is mapped to a perticular tunnel in the group if specific class is mapped to that tunnel.
    So a master tunnel can be the only tunnel between the 2 devices over which the routing (bgp next hops) are exchanged and all other tunnels can be members of this tunnel. So your RPF might not fail.
    You might have to explore on this a bit more and read about the co-existance of multicast and TE. This will be the same as that.
    For your second question, the answer would be easy :
    If you want a specific eompls cust to take a particular tunnel/path, just create a seperate pair of loopbacks on the PEs. Make the loopback learnt on the remote PE through the tunnel/path that you want the eompls to take. Then establish the xconnect with this loopback. I am assuming that your question is that a particular eompls session should take a particular path.
    If you meant that certain traffic from the same eompls session take a different path/tunnel, then CBTS will work.
    Regards,
    Niranjan

  • Policy Based Routing with VPN Client configuration

    Hi to all,
    We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
    The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
    The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
    Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
    Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
    This is our sanitized config
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group dc
    key ***
    dns 192.168.5.7
    domain corp.local
    pool SDM_POOL_1
    acl 101
    max-users 3
    netmask 255.255.255.0
    crypto isakmp profile sdm-ike-profile-1
       match identity group dc
       isakmp authorization list sdm_vpn_group_ml_1
       client configuration address respond
       virtual-template 1
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec profile SDM_Profile1
    set security-association idle-time 3600
    set transform-set ESP-3DES-SHA
    set isakmp-profile sdm-ike-profile-1
    interface Loopback0
    ip address 10.10.10.1 255.255.255.0
    interface FastEthernet0/0
    description *WAN*
    no ip address
    ip mtu 1396
    duplex auto
    speed auto
    interface FastEthernet0/0.3
    description FAST-WAN-11D-11U
    encapsulation dot1Q 3
    ip address 88.XX.XX.75 255.255.255.248
    ip load-sharing per-packet
    ip nat outside
    ip virtual-reassembly
    interface FastEthernet0/0.4
    description SLOW-WAN-10D-1U
    encapsulation dot1Q 4
    ip address dhcp
    ip nat outside
    ip virtual-reassembly
    no cdp enable
    interface FastEthernet0/1
    description *LOCAL*
    no ip address
    ip virtual-reassembly
    duplex auto
    speed auto
    interface FastEthernet0/1.10
    description VLAN 10 192-168-5-0
    encapsulation dot1Q 10
    ip address 192.168.5.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly max-reassemblies 32
    no cdp enable
    interface FastEthernet0/1.20
    description VLAN 20 10-10-0-0
    encapsulation dot1Q 20
    ip address 10.10.0.254 255.255.255.0
    ip access-group PERMIT-MNG out
    ip nat inside
    ip virtual-reassembly
    !!! NOTE: This route map is used to PBR the http traffic for our server
    ip policy route-map REDIRECT-VIA-FAST-WAN
    no cdp enable
    interface Virtual-Template1 type tunnel
    ip unnumbered Loopback0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile SDM_Profile1
    interface Virtual-Template3
    no ip address
    interface Virtual-Template4
    no ip address
    ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
    ip forward-protocol nd
    !!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
    ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
    !!! FAST-WAN NEXT HOP DEFAULT ADDRESS
    ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
    ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
    ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
    access-list 101 remark SDM_ACL Category=4
    access-list 101 permit ip 192.168.5.0 0.0.0.255 any
    access-list 101 permit ip 10.10.0.0 0.0.0.255 any
    ip access-list extended FAST-WAN-NAT
    permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
    permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
    permit icmp 192.168.5.0 0.0.0.255 any
    permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
    permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
    permit icmp 10.10.0.0 0.0.0.255 any
    ip access-list extended REDIRECT-VIA-FAST-WAN
    deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
    permit tcp host 10.10.0.43 eq 443 9675 any
    ip access-list extended SLOW-WAN-NAT
    permit ip 192.168.5.0 0.0.0.255 any
    permit ip 10.10.0.0 0.0.0.255 any
    route-map FAST-WAN-NAT-RMAP permit 10
    match ip address FAST-WAN-NAT
    match interface FastEthernet0/0.3
    route-map REDIRECT-VIA-FAST-WAN permit 10
    match ip address REDIRECT-VIA-FAST-WAN
    set ip next-hop 88.XX.XX.73
    route-map SLOW-WAN-NAT-RMAP permit 10
    match ip address SLOW-WAN-NAT
    match interface FastEthernet0/0.4

    Can you try to use PBR Match track object,
    Device(config)# route-map abc
    Device(config-route-map)# match track 2
    Device(config-route-map)# end
    Device# show route-map abc
    route-map abc, permit, sequence 10
      Match clauses:
        track-object 2
      Set clauses:
      Policy routing matches: 0 packets, 0 bytes
    Additional References for PBR Match Track Object
    This feature is a part of IOS-XE release 3.13 and later.
    PBR Match Track Object
    Cisco IOS XE Release 3.13S
    The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
    The following commands were introduced or modified: match track tracked-obj-number
    Cheers,
    Sumit

  • 11g OAM AuthZ policy

    I need help with OAM 11g AuthZ policy.
    Looking at the authorization policy, I can set it for IPAddress range, User Identity and time based.
    I want to create a policy that checks for an attibute to see if its set or not and based on that allow or deny. How do I do that?

    I would look at Constraints on the AuthZ side.
    Other than that, you could merely return a header variable for the attribute you want to toggle.

Maybe you are looking for

  • Error connecting a visual application of 2008 to a database in sql server with mk3100 device with Windows Embedded Compact 7

    en System.Data.SqlClient.SqlConnection.OnError(SqlException exception, TdsParserState state) en System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, TdsParserState state) en System.Data.SqlClient.TdsParser.ThrowExceptionAndWarn

  • Changing text color of a string

    im looking to change the color of some text within a datagrid. After searching I have found tons on item renderers and cannot figure out exactly how to make it work with what I need. I have a datagrid with a label function that looks something like t

  • Best way to create a speech bubble effect?

    Hi there, I'm currently writing a simple game using java 2D, on screen i would like to show some text surrounded by a speech bubble which will be used to show what a character is saying. I need the text to be scrollable as there might be alot of it a

  • Delay time for Cancel query dialog

    Hi Folks. I have a form where the property Interaction Mode is set to NONBLOCKING. When a slow query is initiated, the cancel query dialog is displayed after approx. 5 secs. Can anyone tell me if it's possible to alter the delay time before this dial

  • Australian Nationalities in Infotype 0002

    Does anyone know what the definition is of the following Nationalities for Australia? Is this a requirement for reporting in Australia? (from Infotype 0002)? Thanks. Australian AU, Australian CC, Australian CX,