9800-40 Umbrella integration with VA forwarders

harold.spence · ‎07-10-2024

Is it possible currently to integrate Umbrella with a 9800 WLC using the VA forwarders and ISE in a way that a specific Umbrella policy can be applied for different user types connecting to the same SSID? Every integration document I can find shows that it is using the Umbrella public DNS addresses and no way to specify internal VA forwarder addresses.

Currently the devices in question are profiling in Umbrella on the default policy but I want a way to assign them a different policy. These are VR headsets and if possible I would like to assign the Umbrella policy based off the user that authenticated to the SSID via MSCHAPv2. I am currently running 9800 IOS-XE 17.12.03 and ISE 3.2.0.542 Patch 4.

Any additional insight or a link to documentation to point me in the right direction would be greatly appreciated. I have already reviewed the following and determined it isn't exactly what we are looking for:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_cisco_umbrella_wlan.html

https://support.umbrella.com/hc/en-us/articles/4414769562900-Guide-to-troubleshooting-the-Cisco-Umbrella-Wireless-Controller-9800-integration

Thanks!

Greg Gibbs · ‎07-10-2024

Unless I'm mistaken, this is not possible. I don't believe there are any RADIUS AV-pairs available on the WLC for manipulating the Umbrella policies that ISE can take advantage of.

This is more of a limitation on the WLC side, so you might try asking that specific question on the Wireless community space.

harold.spence · ‎07-11-2024

Thank you, I will try posting there later today. I am very grateful for the feedback!

ccieexpert · ‎07-10-2024

if you can reserve DHCP ip address and then split a subnet into smaller chunks like splitting a /24 into /28 within umbrella(not within the dhcp scope) so that one chunk of ip /28 belongs to a different site (internal network) in umbrella, then you can assign a different policy. ofcourse you can take a /22 and split into /24 logically. Also ofcourse, if you use different SSIDs(dhcp scopes) or even managed to use different scopes for same SSID, then something similar can be done.

harold.spence · ‎07-11-2024

Thank you for your input. This sounds like a solution but I have some reservations (no pun intended) about doing it this way. This is a test at one site for these drone VR headsets. Who knows how many I might have to add in the future at other sites. I also worry about the "you made it work for this, make it work for that" aspect of taking this approach as it might lead to a management nightmare.

It definitely makes sense and seems like a solution to my problem. Just not one I think I want to take on in my specific situation.

Also to answer your other question is we are currently making use of only the Umbrella VA's and not the WLC Umbrella integration as it is my understanding from reading the documents I've found on the WLC integration it would only point to their public DNS forwarders. We mainly utilize the forwarders because we have some policies based on internal IP information as well as use the reporting tools based on internal IP's at times.

ccieexpert · ‎07-11-2024

the real issues is what Umbrella uses as identity for policies. It can only use any of these AD/azure(entra)/gsuite users/groups, AD computers, internal networks, roaming computers, mobile devices. etc..

The best is to use a different IP subnet with a logical network in umbrella to differentiate between these users like i mentioned before.. DHCP reservations are commonly done in environments. you can potentially have ISE and some scripting do to this, but it has more challenges as it may or may not be real time update.

ccieexpert · ‎07-10-2024

also i am not sure if you are using WLC umbrella integration or just using the UMBRELLA VA ?