Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1173
Views
35
Helpful
5
Replies

Cisco ISE, Wireless vs wired

Asfandyar70754
Level 1
Level 1

‎10-20-2020 02:58 AM

Hello everyone

Please bear with me if my question seem a bit odd as I am new in world of ISE.

So I am looking get ISE in my environment. As there is concept of groups in ISE so what about my wired users For suppose I have 2 departments so I will make 2 groups (Eg. HR and IT) and each department have 2 wireless and 2 wired users, do they still get all access or I need to make separate groups and/or policy for wired users.

0 Helpful
5 Replies 5

Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-20-2020 09:30 AM

IMO that question depends on requirements.  I suggest taking a peek at the following resources to help understand the capabilities and variety of options you have with ISE:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

http://labminutes.com/video/sec

HTH!

Aref Alsouqi
VIP
VIP

‎10-20-2020 01:30 PM

Typically we would separate the policies on ISE for wired and wireless, but that does not mean you can have a policy set for both wired and wireless and apply the same exact authorization profiles.

Asfandyar70754
Level 1
Level 1
In response to Aref Alsouqi

‎10-20-2020 10:50 PM

So just to be clear, I will have to make separate Authorization policies for wired and wireless users?

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-21-2020 04:02 PM

Not necessarily, it depends on how you want to build up your policy set. Take a look at this basic example, and see how the policy set can be conditioned to accept wired or wireless dot1x traffic:

ISE_policy_example0000.jpg

 

Greg Gibbs
Cisco Employee
Cisco Employee

‎10-21-2020 07:46 PM

Keep in mind that different network device types use different authorisation controls. For example, Catalyst switches support using downloadable ACLs (dACLs) while AireOS-based WLCs (5508, 5520, etc) leverage named Airespace ACLs. For this reason, we typically use different Policy Sets for Wired vs. Wireless and different Authorization Profiles for those sessions depending on the control that is being used.

Example:

AuthZ Proflle = 'AuthZ-Wired-Computer' with a DACL

AuthZ Profile = 'AuthZ-Wireless-Computer' with an Airespace ACL

Customers Also Viewed These Support Documents