Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
842
Views
0
Helpful
1
Replies

Authz policy - control User access per AP(-group)?

Go to solution
bbruninx
Cisco Employee
Cisco Employee

‎09-15-2016 01:26 AM

Hi,

for a large site deployment, we want to restrict access so that users from site 1 are only able to connect to site 1 and not any other sites.

Easy to accomplish with authz policies, but the number sites exceeds 1000+ en not scalable to define a policy for each site.

how could we define this authz policy in a scalable way ? the wireless is centrally managed .

thanks

Bart

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-15-2016 09:12 AM

You can use dynamic match policy to accomplish this. However, it requires some preparation in the user directory to work. First identify (Or create) an attribute in the user directory. If using AD, use one of the custom attributes for the user. Also make sure the attribute is indexed as it will be retrieved by ISE during authentication which has short time out. Once you have identified the attribute you need to populate the attribute with the AP Group name for each of the matching users. Once that is done, on the ISE configure AD connector to retrieve the custom attribute and create AuthZ policy with condition that reads 'if RADIUS:Called-Station-ID contains AD:Custom Attribute then Permit Access'. Next is to configure the Cisco WLC to send the AP Group in the RADIUS:Called-Station-ID field during authentication. To do that on the WLC GUI go to 'Security > AAA > Authentication' change the Auth Called Station ID Type to one of the options that includes 'AP Group'. It depends on the WLC version but with 8.3 you can choose between 'AP Group' and 'AP MACC:SSID:AP Group'.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-15-2016 09:12 AM

You can use dynamic match policy to accomplish this. However, it requires some preparation in the user directory to work. First identify (Or create) an attribute in the user directory. If using AD, use one of the custom attributes for the user. Also make sure the attribute is indexed as it will be retrieved by ISE during authentication which has short time out. Once you have identified the attribute you need to populate the attribute with the AP Group name for each of the matching users. Once that is done, on the ISE configure AD connector to retrieve the custom attribute and create AuthZ policy with condition that reads 'if RADIUS:Called-Station-ID contains AD:Custom Attribute then Permit Access'. Next is to configure the Cisco WLC to send the AP Group in the RADIUS:Called-Station-ID field during authentication. To do that on the WLC GUI go to 'Security > AAA > Authentication' change the Auth Called Station ID Type to one of the options that includes 'AP Group'. It depends on the WLC version but with 8.3 you can choose between 'AP Group' and 'AP MACC:SSID:AP Group'.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents