01-03-2018 10:45 AM - edited 02-21-2020 10:43 AM
Hello All,
Cisco ISE: 2.0.0.306
Patch: 2,3,4
Our ISE configuration was mostly done for us with the help of a consultant. We have about 12 locations around the country. But ,the setup for ISE's Policies for Wired/Wireless is that we have Compliant, Non-Compliant, and Unknown Policies where you are either in the HQ or you're NOT in the HQ (*so all other locations, i.e. Location != HQ). So there is Wireless_Compliant_HQ, Wireless_Compliant_Branch, etc...
We are now beginning to implement AnyConnect/NAM/ISEPosture into our remote branch offices. Wired is working just fine because each location's Network Access Devices (*Cisco switches) are all setup with their proper locations. So clients in the remote offices would match to the Wired Policies where Location != HQ (*i.e. Wired_Compliant_Branch).
However, I'm realizing this might be an issue with the Wireless Policies... Since we have 2 Wireless Controllers, and the Branch Offices' Access Points are connected to the HQ's WLC, clients attempting to connect to SSIDs in their locations, where those SSIDs authenticate through ISE, are getting put into the Wireless_Unknown_HQ Policy. So I'm assuming this is because the WLC Network Access Device's configuration has HQ set as the Location.
Am I thinking through this correctly? If I am, is there another attribute or Location option that I could do that would achieve the correct results..? Any thoughts or suggestions would be greatly appreciated!
Thanks in Advance,
Matt
Solved! Go to Solution.
01-09-2018 04:51 AM
Hi Matthew,
There are many options you can use for 'location' based authorization:
- AP name (you can rename APs so that branch AP use a similar name) - say 'AP name begins with branch' type of condition. You have to change WLC's radius accounting format
- AP MAC (if you don't have that many APs)
- SSID name (maybe you use different SSID names for HQ vs branch)
- define AP location field on WLC and use it in authorization rule
Example: https://supportforums.cisco.com/legacyfs/online/ise_location-based_web_portals-v2.pdf
(page 10)
Thanks,
Octavian
01-03-2018 12:25 PM
First of all, you are correct in your assumptions about the WLC interaction with ISE, all clients connected on wireless are authenticated by the WLC so if your WLC is in the HQ location it will seem like all wireless clients are too.
I don't think there is a quick and easy way to do this, you might have to look at the IP address of the authenticating device and determine based on that which location they are at, that is assuming you have different subnets for your remote locations. Another way which wouldn't be as good might be to separate users into location groups and set up authorization based on that but if you have users that travel between sites routinely it would probably not work too well.
01-08-2018 10:53 AM
01-09-2018 04:51 AM
Hi Matthew,
There are many options you can use for 'location' based authorization:
- AP name (you can rename APs so that branch AP use a similar name) - say 'AP name begins with branch' type of condition. You have to change WLC's radius accounting format
- AP MAC (if you don't have that many APs)
- SSID name (maybe you use different SSID names for HQ vs branch)
- define AP location field on WLC and use it in authorization rule
Example: https://supportforums.cisco.com/legacyfs/online/ise_location-based_web_portals-v2.pdf
(page 10)
Thanks,
Octavian
01-09-2018 10:15 AM
01-09-2018 10:29 AM - edited 01-09-2018 10:30 AM
*Addition to previous comment...
I believe I found in the WLC where you modify what the Called-Station-ID attribute sends to ISE. I assume this is where you get most of the options for what you described in your comment, like AP Name, AP Location field, AP mac address, etc...? *Screenshot attached.
Before I modify anything here in the WLC. Is this something that should be done off-hours? When this setting is changed in the WLC, would any of the wireless networks drop or cause clients to drop/re-authenticate after I click Apply?
Lastly, we are currently using called-station-id to verify the SSID a client is connecting to. So since the current value of called-station-id is "AP-Mac-Address:SSID". If I choose one of the other options which also ends with "..some-value.. : SSID", would that cause any issues in the current Policy Sets using called-station-id?
Thanks Again,
Matt
01-09-2018 10:59 AM
As with any change that could impact end users in a production environment, its probably best to make any changes after hours and conduct testing after changes are made to make sure everything is still operating as usual.
Making the change shouldn't have any impact on currently authenticated users though. New authentications from the WLC will just contain different information in the called-station-id attribute, since this is just changing the information the WLC sends to ISE during authentication.
As for the called-station-id attribute, if you currently use the SSID information you will have to use an option that contains that but as you said you can use any option that has that information in it without issue. So say if you wanted to use <AP name:SSID> it would still contain the same SSID information as the <MAC : SSID> option.
01-09-2018 11:13 AM
01-09-2018 11:15 AM
The AP name can be changed without affecting the AP group, however it may disconnect clients associated to that AP momentarily but they will just reconnect.
01-09-2018 12:54 PM
01-09-2018 01:11 PM
That stuff isn't in the ISE guide because it is more generic to all radius capable devices.
Check this out and it should give you a better idea of what each one does.
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html
01-12-2018 09:15 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide