09-05-2024 01:33 AM
trying to fill the gap here:
1) PSK authenticated SSID mapped to default L2VNID#1 (VLAN)
2) depending on the MAC-address client of SSID must be landed in either default or non-default L2VNID#2
u decide apply MAC-filtering to SSID & direct WLC to request ISE for AuthZ where u have configured non-default rule to match endpoint's MAC against designated EID-group & to return L2VNID#2 in Tunnel-Private-Group-ID. Default rule just returns AccessAccept (it's still needed for the rest of endpoints). Now u need all MACs targeted for L2VNID#2 to be members of designated EID-group. & u think u dont need to list rest of clients of SSID anywhere bc successful authentication requires matching proper PSK only. Everything looks good until u recall all clients of SSID are now subject of AuthC. u could configure default AuthC rule to use Internal Endpoints & it would do the job for that endpoints u coded as members of designated EID-group. But what to do for the rest of endpoints? u dont want to create separate EID-group for them. u think then about modifying default AuthC rule to look like this:
do u achieve the goal at this point? any ideas?
Solved! Go to Solution.
09-05-2024 03:29 AM
found confirmation here Solved: ISE only be authorization for wireless users - Cisco Community
09-05-2024 03:29 AM
found confirmation here Solved: ISE only be authorization for wireless users - Cisco Community
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide