Add attribute for passing endpoint description to WLC as username

[Ernest0vich]

Is your feature request related to a problem? Please describe. Currently, WLC shows MAC-address as username which is expected, but not very convinient for identification and visibility purposes as it requires to get endpoint information from iPSK Manager manually.

Describe the solution you'd like There is a way to pass WLC (at least to Cisco Catalyst 9800) new username by adding RADIUS attribute cisco-av-pair=subscriber:username=*** in access-accept reply. This attribute can be extracted by Cisco ISE via ODBC dynamically just like a iPSK/VLAN/dACL are being extracted now and added to authorization profile.

I did a test by modifying existing MySQL procedure for attribute fetch and added new attribute called subscriberName which is defined as below: concat('subscriber:username=', fullName) as subscriberName By using this attribute in Cisco ISE authorization profile I've managed to push fullName as username to WLC, and it was shown in clients list and even used in RADIUS accounting. I think it can massively enhance endpoint visibility.

Describe alternatives you've considered I've tried to concatenate string subscriber:username= and existing iPSK endpoint attributes in Cisco ISE authorization profile, but it seems that it just doesn't work this way and ISE can't join static string with dynamic attribute from external identity source.

Different scenarios might require different approach, e.g. for IoT devices description can be used as source of username data, and for BYOD self-registration devices createdBy might be more useful.

[ciesinsn]

Interesting enhancement and will add it as a item to consider adding.

[ciesinsn]

This is part of branch dec25 which will merge in the next pull