Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
442
Views
1
Helpful
9
Replies

Cisco ISE Policy Set for Access-Points

Go to solution
gaigl
Level 3
Level 3

‎02-11-2025 03:30 AM

Hello,

we've a Cisco ISE 3.4 p1 and have some 802.1x and MAB Policies.

Now I want our Access-Points (Cisco-AP-Catalyst-9120AX) in an extra VLAN.

Under Context Visibility I see all the AP's with the Model, but don't get started.

New Policy-Set, should I use for Condition Device-Type: $Switch, like for the 802.1x and MAB Policy?

Where can can I use the Endpoint Profile "Cisco-AP-Catalyst-9120AX" in a Policy Set?

I know, in the Authorization Policy I can define the VLAN

any Help appreciated

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎02-11-2025 06:41 AM

If you have already a policy set and you don't want to create a separate one to authenticate and authorize the APs, then you can just add a new authentication rule to your existing MAB (assuming you will be doning MAB) policy specifying the device type and location in the authentication rule as conditions. Then you create a new authorization rule with the APs profile as a condition as shown in my post above.

View solution in original post

9 Replies 9

Go to solution
Aref Alsouqi
VIP
VIP

‎02-11-2025 04:32 AM

Depends on how you want the match to be, if you want the match to be done based on device type or location, then you can add those conditions to your policy.

If you want to use the AP profile as a condition then in the authorization rule you can select "EndPoints > EndPointPolicy" as the condition and then finally select the profile you want to use.

0 Helpful

Go to solution
gaigl
Level 3
Level 3

‎02-11-2025 06:15 AM

OK, thank you!

I've got now the authorization Rule with the Endpoints, but what will be the Condition of the Policy-Set?

I could use "Device Type: Access-Switch", but what would I use for "Allowed Protocols / Server Sequence" ?

I think, anyway I have to differ from the 802.1x and MAB Policy.

Sorry, if I'm a little bit clueless

 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to gaigl

‎02-11-2025 06:33 AM

You're welcome. Are you going to do MAB for the APs?

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎02-11-2025 06:41 AM

If you have already a policy set and you don't want to create a separate one to authenticate and authorize the APs, then you can just add a new authentication rule to your existing MAB (assuming you will be doning MAB) policy specifying the device type and location in the authentication rule as conditions. Then you create a new authorization rule with the APs profile as a condition as shown in my post above.

Go to solution
gaigl
Level 3
Level 3
In response to Aref Alsouqi

‎02-11-2025 06:46 AM

oh, I undestand, I'll try tomorrow

Thank you

0 Helpful

Go to solution
gaigl
Level 3
Level 3

‎02-11-2025 06:43 AM

I'm not sure, the ISE knows the AP Model without work from me, could be from MAC Address.

Would be fine, if I don't need any Action, if a new AP is mounted.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to gaigl

‎02-11-2025 08:20 AM

ISE has plenty of predefined profiles, if you look at the APs profile you would most likely see some attributes in addition to the OUI.

0 Helpful

Go to solution
gaigl
Level 3
Level 3

‎02-11-2025 10:13 PM

Thanks a lot Aref, works as expected: new Authorization Rule in the MAB Policy Set

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to gaigl

‎02-12-2025 01:36 AM

You're very welcome, glad to be of help.

0 Helpful
Customers Also Viewed These Support Documents