10-20-2020 02:58 AM
Hello everyone
Please bear with me if my question seem a bit odd as I am new in world of ISE.
So I am looking get ISE in my environment. As there is concept of groups in ISE so what about my wired users For suppose I have 2 departments so I will make 2 groups (Eg. HR and IT) and each department have 2 wireless and 2 wired users, do they still get all access or I need to make separate groups and/or policy for wired users.
10-20-2020 09:30 AM
IMO that question depends on requirements. I suggest taking a peek at the following resources to help understand the capabilities and variety of options you have with ISE:
http://labminutes.com/video/sec
HTH!
10-20-2020 01:30 PM
Typically we would separate the policies on ISE for wired and wireless, but that does not mean you can have a policy set for both wired and wireless and apply the same exact authorization profiles.
10-20-2020 10:50 PM
So just to be clear, I will have to make separate Authorization policies for wired and wireless users?
10-21-2020 04:02 PM
Not necessarily, it depends on how you want to build up your policy set. Take a look at this basic example, and see how the policy set can be conditioned to accept wired or wireless dot1x traffic:
10-21-2020 07:46 PM
Keep in mind that different network device types use different authorisation controls. For example, Catalyst switches support using downloadable ACLs (dACLs) while AireOS-based WLCs (5508, 5520, etc) leverage named Airespace ACLs. For this reason, we typically use different Policy Sets for Wired vs. Wireless and different Authorization Profiles for those sessions depending on the control that is being used.
Example:
AuthZ Proflle = 'AuthZ-Wired-Computer' with a DACL
AuthZ Profile = 'AuthZ-Wireless-Computer' with an Airespace ACL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide