cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

119
Views
0
Helpful
6
Replies

Policy Set for web admin gui

Hi,

 

I have several web admin gui, like WLC and DNAC, that I would like to have RADIUS-login to. I am running ISE 2.3. 

The problem I am having is to write a Policy Set that will get matched when a web-login-request comes to ISE. 

In the RADIUS-log I can see that the attempts has these two attributes:

Authentication Method PAP_ASCII
Authentication Protocol PAP_ASCII

I do not see NAS Port type or any other attribute that is different from other RADIUS packets.

 

However I am not able to choose Auth Method or Protocol as conditions in the Policy Set. I tried making my own condition in the Library, but that one I can only choose in the Authorization Policy not the Policy Set. 

Do you know any way I can do a Policy Set that will match on web-login?

 

Regards

Philip

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Policy Set for web admin gui

Yep, that is exactly the reason. Don't have TACACS lic :(
Well if there isn't a way to have Authentication Method or Protocol as a condition then I have to have a rule at the bottom that catches all traffic that isn't dot1x or mab.
Thank you for your answer.

Regards
Philip

6 REPLIES 6
VIP Engager

Re: Policy Set for web admin gui

Use device type and build a policy set for each device type.  Or are you trying to distinguish between CLI and Web access.  I don't usually do that for WLCs.

Re: Policy Set for web admin gui

Hi,

If I use only device type then all traffic from the WLC will hit that Policy Set, including dot1x and MAB traffic. It would be ideal to have one Set for Admin login (CLI and GUI), on for Dot1x, one for MAB and one for Guest.
I can put a general Policy Set at the bottom that will catch all auth requests that aren't dot1x,mab,guest, but I would rather have something that catches web auth traffic.
Regards
Philip
VIP Engager

Re: Policy Set for web admin gui

WLC authentication is TACACS not RADIUS.






Highlighted

Re: Policy Set for web admin gui

No you can have RADIUS also. I have done this on earlier versions of ISE.

https://rscciew.wordpress.com/tag/wireless-lan-controller/

 

VIP Engager

Re: Policy Set for web admin gui

I know you can but why would you? Or don't you have the TACACS license? Otherwise just put the WLC device type rules below your wireless SSID rules.


Re: Policy Set for web admin gui

Yep, that is exactly the reason. Don't have TACACS lic :(
Well if there isn't a way to have Authentication Method or Protocol as a condition then I have to have a rule at the bottom that catches all traffic that isn't dot1x or mab.
Thank you for your answer.

Regards
Philip