09-15-2016 01:26 AM
Hi,
for a large site deployment, we want to restrict access so that users from site 1 are only able to connect to site 1 and not any other sites.
Easy to accomplish with authz policies, but the number sites exceeds 1000+ en not scalable to define a policy for each site.
how could we define this authz policy in a scalable way ? the wireless is centrally managed .
thanks
Bart
Solved! Go to Solution.
09-15-2016 09:12 AM
You can use dynamic match policy to accomplish this. However, it requires some preparation in the user directory to work. First identify (Or create) an attribute in the user directory. If using AD, use one of the custom attributes for the user. Also make sure the attribute is indexed as it will be retrieved by ISE during authentication which has short time out. Once you have identified the attribute you need to populate the attribute with the AP Group name for each of the matching users. Once that is done, on the ISE configure AD connector to retrieve the custom attribute and create AuthZ policy with condition that reads 'if RADIUS:Called-Station-ID contains AD:Custom Attribute then Permit Access'. Next is to configure the Cisco WLC to send the AP Group in the RADIUS:Called-Station-ID field during authentication. To do that on the WLC GUI go to 'Security > AAA > Authentication' change the Auth Called Station ID Type to one of the options that includes 'AP Group'. It depends on the WLC version but with 8.3 you can choose between 'AP Group' and 'AP MACC:SSID:AP Group'.
09-15-2016 09:12 AM
You can use dynamic match policy to accomplish this. However, it requires some preparation in the user directory to work. First identify (Or create) an attribute in the user directory. If using AD, use one of the custom attributes for the user. Also make sure the attribute is indexed as it will be retrieved by ISE during authentication which has short time out. Once you have identified the attribute you need to populate the attribute with the AP Group name for each of the matching users. Once that is done, on the ISE configure AD connector to retrieve the custom attribute and create AuthZ policy with condition that reads 'if RADIUS:Called-Station-ID contains AD:Custom Attribute then Permit Access'. Next is to configure the Cisco WLC to send the AP Group in the RADIUS:Called-Station-ID field during authentication. To do that on the WLC GUI go to 'Security > AAA > Authentication' change the Auth Called Station ID Type to one of the options that includes 'AP Group'. It depends on the WLC version but with 8.3 you can choose between 'AP Group' and 'AP MACC:SSID:AP Group'.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: