topic Re: Cisco ISE Policy Set for Access-Points in Network Access Control

Cisco ISE Policy Set for Access-Points

gaigl — Tue, 11 Feb 2025 11:30:29 GMT

Hello,

we've a Cisco ISE 3.4 p1 and have some 802.1x and MAB Policies.

Now I want our Access-Points (Cisco-AP-Catalyst-9120AX) in an extra VLAN.

Under Context Visibility I see all the AP's with the Model, but don't get started.

New Policy-Set, should I use for Condition Device-Type: $Switch, like for the 802.1x and MAB Policy?

Where can can I use the Endpoint Profile "Cisco-AP-Catalyst-9120AX" in a Policy Set?

I know, in the Authorization Policy I can define the VLAN

any Help appreciated

Re: Cisco ISE Policy Set for Access-Points

Aref Alsouqi — Tue, 11 Feb 2025 12:32:47 GMT

Depends on how you want the match to be, if you want the match to be done based on device type or location, then you can add those conditions to your policy.

If you want to use the AP profile as a condition then in the authorization rule you can select "EndPoints > EndPointPolicy" as the condition and then finally select the profile you want to use.

Re: Cisco ISE Policy Set for Access-Points

gaigl — Tue, 11 Feb 2025 14:15:17 GMT

OK, thank you!

I've got now the authorization Rule with the Endpoints, but what will be the Condition of the Policy-Set?

I could use "Device Type: Access-Switch", but what would I use for "Allowed Protocols / Server Sequence" ?

I think, anyway I have to differ from the 802.1x and MAB Policy.

Sorry, if I'm a little bit clueless

Re: Cisco ISE Policy Set for Access-Points

Aref Alsouqi — Tue, 11 Feb 2025 14:33:49 GMT

You're welcome. Are you going to do MAB for the APs?

Re: Cisco ISE Policy Set for Access-Points

Aref Alsouqi — Tue, 11 Feb 2025 14:41:38 GMT

If you have already a policy set and you don't want to create a separate one to authenticate and authorize the APs, then you can just add a new authentication rule to your existing MAB (assuming you will be doning MAB) policy specifying the device type and location in the authentication rule as conditions. Then you create a new authorization rule with the APs profile as a condition as shown in my post above.

Re: Cisco ISE Policy Set for Access-Points

gaigl — Tue, 11 Feb 2025 14:43:33 GMT

I'm not sure, the ISE knows the AP Model without work from me, could be from MAC Address.

Would be fine, if I don't need any Action, if a new AP is mounted.

Re: Cisco ISE Policy Set for Access-Points

gaigl — Tue, 11 Feb 2025 14:46:04 GMT

oh, I undestand, I'll try tomorrow

Thank you

Re: Cisco ISE Policy Set for Access-Points

Aref Alsouqi — Tue, 11 Feb 2025 16:20:49 GMT

ISE has plenty of predefined profiles, if you look at the APs profile you would most likely see some attributes in addition to the OUI.

Re: Cisco ISE Policy Set for Access-Points

gaigl — Wed, 12 Feb 2025 06:13:22 GMT

Thanks a lot Aref, works as expected: new Authorization Rule in the MAB Policy Set

Re: Cisco ISE Policy Set for Access-Points

Aref Alsouqi — Wed, 12 Feb 2025 09:36:44 GMT

You're very welcome, glad to be of help.