topic Re: ISE policy using ip subnet for authorisation in Network Access Control

ISE policy using ip subnet for authorisation

guy.whitehouse@ft.com — Wed, 09 Jul 2025 08:21:07 GMT

Hello All

We are running flexconnect wifi and using the same ssid across multiple sites.

We want to deploy a splash page at each flexconnect remote site for one of our ssid's

We do not want to deploy all sites at the same time

So is it possible to authenticate against a ip subnet ?

So we could say if the request comes from subnet x to ise please provide a splash page

Or is their another way we could do this

Thanks in advance

Re: ISE policy using ip subnet for authorisation

Arne Bier — Wed, 09 Jul 2025 09:19:00 GMT

With Flexconnect, the RADIUS Access-Request comes from the WLC (central authentication) and not from the WAP itself (which means we can't regard the IP address of the WAP) - if my recollection of how this works is still correct, then it will be hard to localise which site/WAP the request is coming from. The Called-Station-ID attribute in the Access-Request can be constructed to contain SSID and MAC address of the WAP involved - but that means your ISE Wireless MAB Authorization Policy would need a complex condition to check for all the MAC addresses involved - depending on your deployment, that might be infeasible.

The MAC addresses shown above use dashes as delimiter - best to validate this in wireshark via tcpdump.

If you can share a wireshark decode of a flexconnect Access-Request that shows all the attributes, perhaps there is a better one to use that would work.

Re: ISE policy using ip subnet for authorisation

MHM Cisco World — Wed, 09 Jul 2025 09:23:54 GMT

Sure Yes if wlc + AP add IP of wifi to radius request

Can I know the wlc or AP you use?

MHM

Re: ISE policy using ip subnet for authorisation

guy.whitehouse@ft.com — Wed, 09 Jul 2025 09:31:51 GMT

Hello we are usinh 9120 AP's

Re: ISE policy using ip subnet for authorisation

Arne Bier — Wed, 09 Jul 2025 09:54:27 GMT

The model of AP/WLC is neither here nor there. The question to answer is what the RADIUS Access-Request looks like when an endpoint (client device) associates to the SSID on such a FlexConnect WAP. My theory about the Called-Station-ID might be correct, but as mentioned, it's probably not feasible if there are many WAPs involved.

The Framed-IP-Address could also be used - this is the IP address of the end client - but ISE only supports EQUALS and NOT EQUALS operators - which means you can't write a regular expression to match an entire subnet (we need the MATCHES operator) - I don't think you want to write an ISE OR condition that contains all the IP addresses in a potentially large subnet.

Re: ISE policy using ip subnet for authorisation

MHM Cisco World — Wed, 09 Jul 2025 10:42:31 GMT

You mentioned flexcon so what is wlc plat you?

Did yoh try use calling-station-ID type ip-add?

MHM

Re: ISE policy using ip subnet for authorisation

Torbjørn — Wed, 09 Jul 2025 11:48:53 GMT

I usually do this by setting called-station-id to "ap-name-ssid" and matching based on AP name. This is easier to understand for colleagues working with the ISE deployment and the AP name prefix is usually equally if not more suited to match the specific site.

Re: ISE policy using ip subnet for authorisation

guy.whitehouse@ft.com — Wed, 09 Jul 2025 12:00:20 GMT

We are using 5520 WLC

Re: ISE policy using ip subnet for authorisation

MHM Cisco World — Wed, 09 Jul 2025 12:37:52 GMT

Calling-station-id ""wifi endpoint info""

Called-station-id ""AP""

MHM