Manage Resources

Dictionaries and Dictionary Attributes

Dictionaries are domain-specific catalogs of attributes and allowed values that can be used to define access policies for a domain. An individual dictionary is a homogeneous collection of attribute type. Attributes that are defined in a dictionary have the same attribute type and the type indicates the source or context of a given attribute.

Attribute types can be one of the following:

  • MSG_ATTR

  • ENTITY_ATTR

  • PIP_ATTR

In addition to attributes and allowed values, a dictionary contains information about the attributes such as the name and description, data type, and the default values. An attribute can have one of the following data types: BOOLEAN, FLOAT, INTEGER, IPv4, OCTET_STRING, STRING, UNIT32, and UNIT64.

Cisco ISE creates system dictionaries during installation and allows you to create user dictionaries.

System Defined Dictionaries and Dictionary Attributes

Cisco ISE creates system dictionaries during installation that you can find in the System Dictionaries page. System-defined dictionary attributes are read-only attributes. Because of their nature, you can only view existing system-defined dictionaries. You cannot create, edit, or delete system-defined values or any attributes in a system dictionary.

A system-defined dictionary attribute is displayed with the descriptive name of the attribute, an internal name as understood by the domain, and allowed values.

Cisco ISE also creates dictionary defaults for the IETF RADIUS set of attributes that are also a part of the system-defined dictionaries, which are defined by the Internet Engineering Task Force (IETF). You can edit all free IETF RADIUS attribute fields except the ID.

Display System Dictionaries and Dictionary Attributes

You cannot create, edit, or delete any system-defined attribute in a system dictionary. You can only view system-defined attributes. You can perform a quick search that is based on a dictionary name and description or an advanced search that is based on a search rule that you define.

    Step 1   Choose Policy > Policy Elements > Dictionaries > System.
    Step 2   Choose a system dictionary in the System Dictionaries page, and click View.
    Step 3   Click Dictionary Attributes.
    Step 4   Choose a system dictionary attribute from the list, and click View.
    Step 5   Click the Dictionaries link to return to the System Dictionaries page.

    User-Defined Dictionaries and Dictionary Attributes

    Cisco ISE displays the user-defined dictionaries that you create in the User Dictionaries page. You cannot modify the values for Dictionary Name or Dictionary Type for an existing user dictionary once created and saved in the system.

    You can do the following in the User Dictionaries page:

    • Edit and delete user dictionaries.

    • Search user dictionaries based on name and description.

    • Add, edit, and delete user-defined dictionary attributes in the user dictionaries.

    • Add or remove allowed values for dictionary attributes.

    Create User-Defined Dictionaries

    You can create, edit, or delete user-defined dictionaries.

      Step 1   Choose Policy > Policy Elements > Dictionaries > User.
      Step 2   Click Add.
      Step 3   Enter the name for the user dictionary, an optional description, and a version for the user dictionary.
      Step 4   Choose the attribute type from the Dictionary Attribute Type drop-down list.
      Step 5   Click Submit.

      Create User-Defined Dictionary Attributes

      You can add, edit, and delete user-defined dictionary attributes in user dictionaries as well as add or remove allowed values for the dictionary attributes.

        Step 1   Choose Policy > Policy Elements > Dictionaries > User.
        Step 2   Choose a user dictionary from the User Dictionaries page, and click Edit.
        Step 3   Click Dictionary Attributes.
        Step 4   Click Add.
        Step 5   Enter the name for an attribute name, an optional description, and an internal name for the dictionary attribute.
        Step 6   Choose a data type from the Data Type drop-down list.
        Step 7   Click Add to configure the name, allowed value, and set the default status in the Allowed Values table.
        Step 8   Click Submit.

        RADIUS-Vendor Dictionaries

        Cisco ISE allows you to define a set of RADIUS-vendor dictionaries, and define a set of attributes for each one. Each vendor definition in the list contains the vendor name, the vendor ID, and a brief description.

        Cisco ISE provides you the following RADIUS-vendor dictionaries by default:

        • Airespace

        • Cisco

        • Cisco-BBSM

        • Cisco-VPN3000

        • Microsoft

        The RADIUS protocol supports these vendor dictionaries, and the vendor-specific attributes that can be used in authorization profiles and in policy conditions.

        Create RADIUS-Vendor Dictionaries

        You can also create, edit, delete, export, and import RADIUS-vendor dictionaries.

          Step 1   Choose Policy > Policy Elements > Dictionaries > System > Radius > Radius Vendors.
          Step 2   Click Add.
          Step 3   Enter a name for the RADIUS-vendor dictionary, an optional description, and the vendor ID as approved by the Internet Assigned Numbers Authority (IANA) for the RADIUS vendor.
          Step 4   Choose the number of bytes taken from the attribute value to specify the attribute type from the Vendor Attribute Type Field Length drop- down list. Valid values are 1, 2, and 4. The default value is 1.
          Step 5   Choose the number of bytes taken from the attribute value to specify the attribute length from the Vendor Attribute Size Field Length drop-down list. Valid values are 0 and 1. The default value is 1.
          Step 6   Click Submit.

          Create RADIUS-Vendor Dictionary Attributes

          You can create, edit, and delete RADIUS vendor attributes that Cisco ISE supports. Each RADIUS-vendor attribute has a name, data type, description, and direction, which specifies whether it is relevant to requests only, responses only, or both.

            Step 1   Choose Policy > Policy Elements > Dictionaries > System > Radius > Radius Vendors.
            Step 2   Choose a RADIUS-vendor dictionary from the RADIUS vendor dictionaries list, and click Edit.
            Step 3   Click Dictionary Attributes, and then click Add.
            Step 4   Enter the attribute name for the RADIUS vendor attribute and an optional description.
            Step 5   Choose the data type from the Data Type drop-down list.
            Step 6   Check the Enable MAC option check box.
            Step 7   Choose the direction that applies to RADIUS requests only, RADIUS responses only, or both from the Direction drop-down list.
            Step 8   Enter the vendor attribute ID in the ID field.
            Step 9   Check the Allow Tagging check box.
            Step 10   Check the Allow multiple instances of this attribute in a profile check box.
            Step 11   Click Add to add the allowed value for the vendor attribute in the Allowed Values table.
            Step 12   Click Submit.