cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
657
Views
0
Helpful
6
Replies

Policy Set for web admin gui

Hi,

 

I have several web admin gui, like WLC and DNAC, that I would like to have RADIUS-login to. I am running ISE 2.3. 

The problem I am having is to write a Policy Set that will get matched when a web-login-request comes to ISE. 

In the RADIUS-log I can see that the attempts has these two attributes:

Authentication Method PAP_ASCII
Authentication Protocol PAP_ASCII

I do not see NAS Port type or any other attribute that is different from other RADIUS packets.

 

However I am not able to choose Auth Method or Protocol as conditions in the Policy Set. I tried making my own condition in the Library, but that one I can only choose in the Authorization Policy not the Policy Set. 

Do you know any way I can do a Policy Set that will match on web-login?

 

Regards

Philip

 

 

1 Accepted Solution

Accepted Solutions

Yep, that is exactly the reason. Don't have TACACS lic :(
Well if there isn't a way to have Authentication Method or Protocol as a condition then I have to have a rule at the bottom that catches all traffic that isn't dot1x or mab.
Thank you for your answer.

Regards
Philip

View solution in original post

6 Replies 6

paul
Level 10
Level 10

Use device type and build a policy set for each device type.  Or are you trying to distinguish between CLI and Web access.  I don't usually do that for WLCs.

Hi,

If I use only device type then all traffic from the WLC will hit that Policy Set, including dot1x and MAB traffic. It would be ideal to have one Set for Admin login (CLI and GUI), on for Dot1x, one for MAB and one for Guest.
I can put a general Policy Set at the bottom that will catch all auth requests that aren't dot1x,mab,guest, but I would rather have something that catches web auth traffic.
Regards
Philip

WLC authentication is TACACS not RADIUS.






No you can have RADIUS also. I have done this on earlier versions of ISE.

https://rscciew.wordpress.com/tag/wireless-lan-controller/

 

I know you can but why would you? Or don't you have the TACACS license? Otherwise just put the WLC device type rules below your wireless SSID rules.


Yep, that is exactly the reason. Don't have TACACS lic :(
Well if there isn't a way to have Authentication Method or Protocol as a condition then I have to have a rule at the bottom that catches all traffic that isn't dot1x or mab.
Thank you for your answer.

Regards
Philip

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: