https://community.cisco.com/t5/wireless/can-you-do-wireless-device-profiling-and-policy-classification/m-p/3911192#M170598 <P>I don't think you can do by role string for local auth, however your matching criteria can be EAP-TYPE (I think device type also works but I have not used it myself), then you can allocate any of the values in Action field.</P> Wed, 21 Aug 2019 00:58:17 GMT Ambuj M 2019-08-21T00:58:17Z https://community.cisco.com/t5/wireless/can-you-do-wireless-device-profiling-and-policy-classification/m-p/3909944#M170596 <P>I just found out that you can do <A href="https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/NativeProfiling75.html#pgfId-55504" target="_self">profiling and policy classification</A> on Cisco WLC to assign session timeouts, ACLs, and VLANs regardless of what those settings are set to on the WLAN.</P><P>&nbsp;</P><P>For it to work though, it looks like you need an external RADIUS server to return the Cisco-AV-Pair setting and "role=role_value" so that the correct policy can be picked up (I can't match on device type or EAP type for my specific scenario).</P><P>&nbsp;</P><P>Does anyone know how to use local authentication on the Cisco WLC to point the clients to the correct role string so that I do not have to use an external RADIUS server? My WLAN has layer 2 security enabled, and is using LOCAL EAP authentication.</P> Mon, 05 Jul 2021 17:52:18 GMT https://community.cisco.com/t5/wireless/can-you-do-wireless-device-profiling-and-policy-classification/m-p/3909944#M170596 Sam Brynes 2021-07-05T17:52:18Z https://community.cisco.com/t5/wireless/can-you-do-wireless-device-profiling-and-policy-classification/m-p/3910121#M170597 <P>Hi Sam,</P><P>&nbsp;</P><P>As far as I know, the role string is the only thing that should be provided by the well-known cisco-av-pair in a local policy. The Radius engine on the WLC is light. When you configure your local policy there are only 3 conditions that you can match to trigger the policy :</P><P>- Role (should be provided by a Radius)</P><P>- EAP Type (the WLC can snoop that)</P><P>- Device Type (the WLC can use its local profiling table assuming that you configured local profiling on the WLAN)</P><P>&nbsp;</P><P>If you can't match the role because this attribute has not been sent by the Radius, you can only trigger your policy with the EAP type and the device type.</P><P>As you can see, the role is a MATCH criteria and not an action that will apply something to the client session.</P><P>&nbsp;</P> Mon, 19 Aug 2019 11:04:10 GMT https://community.cisco.com/t5/wireless/can-you-do-wireless-device-profiling-and-policy-classification/m-p/3910121#M170597 MTOMASSINI 2019-08-19T11:04:10Z https://community.cisco.com/t5/wireless/can-you-do-wireless-device-profiling-and-policy-classification/m-p/3911192#M170598 <P>I don't think you can do by role string for local auth, however your matching criteria can be EAP-TYPE (I think device type also works but I have not used it myself), then you can allocate any of the values in Action field.</P> Wed, 21 Aug 2019 00:58:17 GMT https://community.cisco.com/t5/wireless/can-you-do-wireless-device-profiling-and-policy-classification/m-p/3911192#M170598 Ambuj M 2019-08-21T00:58:17Z