https://community.cisco.com/t5/network-access-control/ise-auth-policy-based-on-mac-oui-and-ssid/m-p/1905251#M226649 <HTML><HEAD></HEAD><BODY><P>1) I have never seen the actual SSID name anywhere in the radius attributes coming from the controller, i always use airespace-wlan-id, and if you wan't to avoid creating multiple rules, make the id's the same on all controllers.</P><P></P><P>2) Well OUI is part of the mac, so you could maybe use RegEX to filter out specific OUI's. Another way, if you have advanced license, would be to use Profiling, then ISE would do all the hard work of classifying what device is attempting to connect, and you could use that in your authoriz. policy ex . "Profiled:Iphone"</P></BODY></HTML> Tue, 24 Apr 2012 20:21:55 GMT jan.nielsen 2012-04-24T20:21:55Z https://community.cisco.com/t5/network-access-control/ise-auth-policy-based-on-mac-oui-and-ssid/m-p/1905249#M226558 <P>I was blocking certain consumer mobile devices from my production WLAN on ACS using this process -</P><P><A class="active_link" href="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml</A></P><P></P><P>The MAC OUI is referenced in the CLI field of the NAR, and the SSID is in the DNIS field.</P><P></P><P>Anyone know how to do this on ISE?&nbsp; Two questions -</P><P></P><P>1) I can match based on WLAN-ID, but not SSID.&nbsp; My WLAN-IDs for the same SSID don't match between controllers.&nbsp; Do I need to change this and make sure all WLAN-IDs map to the same SSID on each controller?&nbsp; Or, is there a different attribute I can use that refers to the SSID?</P><P></P><P>2) What attribute do you use in ISE Authorization conditions to match OUI?&nbsp; And can I match a list of OUIs?</P> Mon, 11 Mar 2019 02:00:43 GMT https://community.cisco.com/t5/network-access-control/ise-auth-policy-based-on-mac-oui-and-ssid/m-p/1905249#M226558 kevin_miller 2019-03-11T02:00:43Z https://community.cisco.com/t5/network-access-control/ise-auth-policy-based-on-mac-oui-and-ssid/m-p/1905250#M226606 <HTML><HEAD></HEAD><BODY><P>Kevin,</P><P></P><P>Thanks for opening a TAC case, basically a bug was filed to fix the logging to show the correct calling station id, currently the ISE reports show the (:) as the delimeter the pcap shows a hyphen. </P><P></P><P>Here is the bug to track this issue:</P><P></P><P><A class="jive-link-external-small" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtz41262">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtz41262</A></P><P></P><P>Thanks,</P><P>Tarik Admani</P></BODY></HTML> Tue, 24 Apr 2012 03:36:56 GMT https://community.cisco.com/t5/network-access-control/ise-auth-policy-based-on-mac-oui-and-ssid/m-p/1905250#M226606 Tarik Admani 2012-04-24T03:36:56Z https://community.cisco.com/t5/network-access-control/ise-auth-policy-based-on-mac-oui-and-ssid/m-p/1905251#M226649 <HTML><HEAD></HEAD><BODY><P>1) I have never seen the actual SSID name anywhere in the radius attributes coming from the controller, i always use airespace-wlan-id, and if you wan't to avoid creating multiple rules, make the id's the same on all controllers.</P><P></P><P>2) Well OUI is part of the mac, so you could maybe use RegEX to filter out specific OUI's. Another way, if you have advanced license, would be to use Profiling, then ISE would do all the hard work of classifying what device is attempting to connect, and you could use that in your authoriz. policy ex . "Profiled:Iphone"</P></BODY></HTML> Tue, 24 Apr 2012 20:21:55 GMT https://community.cisco.com/t5/network-access-control/ise-auth-policy-based-on-mac-oui-and-ssid/m-p/1905251#M226649 jan.nielsen 2012-04-24T20:21:55Z https://community.cisco.com/t5/network-access-control/ise-auth-policy-based-on-mac-oui-and-ssid/m-p/1905252#M226677 <HTML><HEAD></HEAD><BODY><P>Hi All.&nbsp; Thanks for the replys.</P><P>I was able to do this -</P><P>Radius:Called-Station-ID MATCHES .*(SSID)$</P><P>Radius:Calling-Station-ID STARTS_WITH 1C-AB-A7</P><P></P><P>The first does match the SSID properly - so I don't need to worry about matching WLAN IDs between controllers.</P></BODY></HTML> Wed, 25 Apr 2012 12:23:15 GMT https://community.cisco.com/t5/network-access-control/ise-auth-policy-based-on-mac-oui-and-ssid/m-p/1905252#M226677 kevin_miller 2012-04-25T12:23:15Z https://community.cisco.com/t5/network-access-control/ise-auth-policy-based-on-mac-oui-and-ssid/m-p/1905253#M226708 <HTML><HEAD></HEAD><BODY><P>Great info, i never noticed the ssid name in the calling station id, maybe it's a new thing in the controller software ?</P></BODY></HTML> Wed, 25 Apr 2012 17:03:59 GMT https://community.cisco.com/t5/network-access-control/ise-auth-policy-based-on-mac-oui-and-ssid/m-p/1905253#M226708 jan.nielsen 2012-04-25T17:03:59Z