topic Thats odd, the order of the in Network Access Control

ISE Guest SSID need only web auth & Mobile device need mac address auth

kamlenegi — Mon, 11 Mar 2019 06:45:45 GMT

Hi All,

Can someone help me in segregating two ssid authentication. i) Guest ssid use web authentication (guest sponsor portal) which is working fine.

ii) Mobile phone ssid use mac address authentication which is partially working. I have done some configuration in ISE and mac filtering enable in WLC.

Rule Name - VIP Wireless
Conditions - VIP and Radius:Called-Station-ID CONTAINS VIP-SSID
Permissions - PermitAccess

I am able to connect VIP-SSID, if my phone mac is in ISE, but if mac address is not in ISE then it is using guest web redirection policy and getting authenticate using guest credential.

How can we stop this thing that guest web redirection is use only for guest ssid not for mobile.

Thanks

Kamlesh

You need to make your CWA

jan.nielsen — Thu, 12 May 2016 08:49:25 GMT

You need to make your CWA redirect rules more specific, like your mobile phone ssid, so add the Called-Station-ID CONTAINS "Guest-SSID" to your redirect rule.

Hi Nielsen,

kamlenegi — Thu, 12 May 2016 09:01:13 GMT

Hi Nielsen,

I tried that as follows:

rule name: guest-wireless

condition: wireless_mab & Called-Station-ID CONTAINS or END-WITH Guest-SSID

result: centralize web auth......redirect acl .....sponsor guest portal.

Then I was able to connect guest ssid but not web redirection or not able to connect mobile ssid, it was showing connecting.....

Is there anything I am missing?

Thanks

Kamlesh

Try not using two conditions

jan.nielsen — Thu, 12 May 2016 09:09:09 GMT

Try not using two conditions for your Called-Station-ID, just use CONTAINS

Also, are you sure it's not

jan.nielsen — Thu, 12 May 2016 09:10:23 GMT

Also, are you sure it's not just your phone that is auto-connecting to the open ssid, when it gets rejected on the VIP SSID, thats a very normal thing for a phone to do ?

Hi Nielsen,

kamlenegi — Thu, 12 May 2016 09:28:19 GMT

Hi Nielsen,

I tried one by one both condition in guest rule, one condition at a time.

Whenever, I am configuring the above condition then mobile phone also getting rejected and guest portal is not getting web redirection.

What would be the policy sequence, I put Mobile policies first then guest CWA.

Thanks

Kamlesh

Thats odd, the order of the

jan.nielsen — Thu, 12 May 2016 15:27:33 GMT

Thats odd, the order of the rules should not matter when the conditions are specific to an SSID, because only the correct rule will match.

You should try enabling the guest cwa rule, with just Called-Station-ID CONTAINS "Guest-SSID", and then show take a screenshot of the detail log for the mab requests where you say the mobile gets rejected and guests don't get redirected-

Hi,

Francesco Molino — Thu, 12 May 2016 15:38:02 GMT

Hi,

Can you drop us a screenshot of your ISE policy rules?

Hi Nielsen,

kamlenegi — Fri, 13 May 2016 07:00:44 GMT

Hi Nielsen,

Attached is screenshot of policy & live logs.

When I am changing condition from Wireless_MAB to CONTAINS GUEST-SSID then no one wireless ssid is connecting and match default deny rule.

Thanks

Kamlesh

We need the whole page of the

jan.nielsen — Fri, 13 May 2016 07:29:12 GMT

We need the whole page of the details log not just the top of it, if you cant capture that, then you should look for the Called-Station-Id attribute in the detail log of a denied request, it sounds like your WLC is not sending the SSID name in that av-pair, this is configurable in the WLC. That would explain why it's not matching your auth rule conditions

Hi Nielsen,

kamlenegi — Fri, 13 May 2016 07:56:22 GMT

Hi Nielsen,

I think I am done, now I changed CONTAINS to END-WITH Guest ssid. Then I am able to achieve the requirement. Let me do some more testing, will update you.

What would be the WLC configuration for av-pair.

Thanks for your support.

Kamlesh

Hi Nielsen,

kamlenegi — Fri, 13 May 2016 10:45:44 GMT

Hi Nielsen,

We have done testing in 10-15 mobiles phone and now it is going as per requirement. I think this was not working in "Contains" due to all 4 ssid starting with same name.

I have done all ssid policy configuration such as:

Rule Name - VIP Wireless
Conditions - VIP and Radius:Called-Station-ID END-WITH VIP-SSID
Permissions - PermitAccess

For guest need to web redirection.

Now everything is working, thanks for your support Nielsen.

Thanks

Kamlesh

Hi,

kamlenegi — Fri, 13 May 2016 13:39:08 GMT

Hi,

In av-pair there is audit session-id, attached is log file.

Thanks

Kamlesh

Hi

Francesco Molino — Fri, 13 May 2016 13:39:09 GMT

Your issue seems to be corrected now.

Just 1 information: When you have multiple SSID and you want to do different authentication methods, you can activate PolicySet feature. It will allow you to have different authentication and authorization rules depending on your SSIDs.

With PolicySet, you can differentiate SSIDs by using WLAN-ID as criteria. This WLAN-ID could be seen on your WLC.

This method is good because you can a better organization view on ISE.

Thanks