Showing results for 
Search instead for 
Did you mean: 


Shivu b

Hello Team,


I m looking for an option  enable AAA Radius in ISE for NAD both switches and wireless controller.

Currently, Wireless clients authenticating in ISE Radius Server, calling station id is AP MAC address SSID


i added network device ( wireless controller ) in ISE NAD Group and created a Authentication policy login via AD user ID and Authorization policy but no Radius request hitting at ISE end.

Question here, should i make change in called station ID from AP MAC address SSID in Wireless controller ?  does it affect for wireless client users if i made change in Auth called station ID type ?

what Auth called station ID should i use to authenticate and Authorization for both wireless client and Wireless NAD via ISE Radius..

Thanks in advance .


1 Accepted Solution

Accepted Solutions

Cisco Employee
Cisco Employee

Sounds like you have a RADIUS configuration problem. See these guides for AAA configuration:

Wireless controllers offer many options for the RADIUS Called-Station-ID:


You said you are using AP MAC address:SSID which is a perfectly fine. It is your choice depending on how you might want to use this information in your ISE Authentication and Authorization policies. This allows you to match the SSID in your Authorization Policy to provide the appropriate level of access for that wireless service (Guest vs Corporate vs BYOD, etc.) with a rule like:

Status Rule Name Conditions Profiles Security Groups Hits Actions
AND ⌸ RADIUS:Called-Station-ID ENDS_WITH Guest
⌸ Guest_Flow
Internet_Only Guest 0


If you then change your WLC's Called-Station-ID to something that did not end with :SSID then you affect your authorization policy matching with potentially bad affects.





View solution in original post

4 Replies 4

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

If you're not seeing any RADIUS traffic in ISE from the Wireless controller, then the problem could also be elsewhere. E.g. if you're WLAN is configured for 802.1X (or MAB or iPSK) then of course you have to specify your RADIUS servers.

1) Are the IP addresses of the RADIUS server correct? Can you ping ISE from the WLC CLI?

2) Are the RADIUS shared secrets matching on WLC and ISE?

3) What does your ISE LiveLog look like? No activity at all? Then I would run a tcpdump on that ISE node to see if anything is coming in.


The Called-Station ID is correct for your needs. The SSID is very useful in Authorization Policies if you need to go down to that granular level.

Clients are not affected by this change made at the RADIUS level (of course as long as the RADIUS flow still works as expected and completes as expected - but the format of individual attributes is not visible to the clients.)