Cisco Bug: CSCum57190 - ISE ENH Support for multiple attributes mapped from LDAP/AD to Radius
May 27, 2019
- Cisco Identity Services Engine
Known Affected Releases
Symptom: Currently when mapping attributes from LDAP/AD to Radius ISE does not support multi-value attributes. The example is MemberOf attribute from LDAP/AD. When trying to return it as a Radius attribute ISE will try to concatenate all MemberOf attributes to a single Radius attribute and will almost always fail since single Radius attribute can be up to 255 bytes long. That functionality might be helpful for ASA DAP. ISE should return Cisco-VPN3000/ASA/PIX7x-DAP-Member-Of defined as AD1:memberOf. Currently the response will be never sent by ISE because all MemberOf attributes concatenated to one attribute usually exceeds 255 bytes. ISE will return error: RADIUS: Invalid attributes in outgoing radius packet - possibly some attributes exceeded their size limit user=Administrator,Releasing session after packed is not created Because of that many ASA DAP deployments does not use ACS/ISE but connect to LDAP/AD directly. This enhancement is created to have a possibility to map each multi-value attribute from LDAP/AD to a separate Radius attribute. For example if there were 5 MemberOf attributes on LDAP/AD for specific user that should be mapped to 5 separate Radius attributes instead of 1 when configuring attribute mapping with "multi-value" feature. Conditions: Returning Radius attribute mapped from LDAP/AD. The issue is for multi-values attribute.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases