topic Re: Policy Set for web admin gui in Network Access Control

Policy Set for web admin gui

Philip Vilhelmsson — Fri, 05 Oct 2018 12:07:32 GMT

Hi,

I have several web admin gui, like WLC and DNAC, that I would like to have RADIUS-login to. I am running ISE 2.3.

The problem I am having is to write a Policy Set that will get matched when a web-login-request comes to ISE.

In the RADIUS-log I can see that the attempts has these two attributes:

Authentication Method	PAP_ASCII
Authentication Protocol	PAP_ASCII

I do not see NAS Port type or any other attribute that is different from other RADIUS packets.

However I am not able to choose Auth Method or Protocol as conditions in the Policy Set. I tried making my own condition in the Library, but that one I can only choose in the Authorization Policy not the Policy Set.

Do you know any way I can do a Policy Set that will match on web-login?

Regards

Philip

Re: Policy Set for web admin gui

paul — Fri, 05 Oct 2018 12:32:42 GMT

Use device type and build a policy set for each device type. Or are you trying to distinguish between CLI and Web access. I don't usually do that for WLCs.

Re: Policy Set for web admin gui

Philip Vilhelmsson — Fri, 05 Oct 2018 12:49:43 GMT

Hi,

If I use only device type then all traffic from the WLC will hit that Policy Set, including dot1x and MAB traffic. It would be ideal to have one Set for Admin login (CLI and GUI), on for Dot1x, one for MAB and one for Guest.
I can put a general Policy Set at the bottom that will catch all auth requests that aren't dot1x,mab,guest, but I would rather have something that catches web auth traffic.
Regards
Philip

Re: Policy Set for web admin gui

paul — Fri, 05 Oct 2018 12:52:43 GMT

WLC authentication is TACACS not RADIUS.

Re: Policy Set for web admin gui

Philip Vilhelmsson — Fri, 05 Oct 2018 12:58:11 GMT

No you can have RADIUS also. I have done this on earlier versions of ISE.

https://rscciew.wordpress.com/tag/wireless-lan-controller/

Re: Policy Set for web admin gui

paul — Fri, 05 Oct 2018 13:00:43 GMT

I know you can but why would you? Or don't you have the TACACS license? Otherwise just put the WLC device type rules below your wireless SSID rules.

Re: Policy Set for web admin gui

Philip Vilhelmsson — Fri, 05 Oct 2018 13:04:43 GMT

Yep, that is exactly the reason. Don't have TACACS lic 😞
Well if there isn't a way to have Authentication Method or Protocol as a condition then I have to have a rule at the bottom that catches all traffic that isn't dot1x or mab.
Thank you for your answer.

Regards
Philip