cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

471
Views
35
Helpful
5
Replies
Highlighted
Beginner

Cisco ISE, Wireless vs wired

Hello everyone

Please bear with me if my question seem a bit odd as I am new in world of ISE.

So I am looking get ISE in my environment. As there is concept of groups in ISE so what about my wired users For suppose I have 2 departments so I will make 2 groups (Eg. HR and IT) and each department have 2 wireless and 2 wired users, do they still get all access or I need to make separate groups and/or policy for wired users.

5 REPLIES 5
Highlighted
VIP Advocate

IMO that question depends on requirements.  I suggest taking a peek at the following resources to help understand the capabilities and variety of options you have with ISE:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

http://labminutes.com/video/sec

HTH!

Highlighted
VIP Rising star

Typically we would separate the policies on ISE for wired and wireless, but that does not mean you can have a policy set for both wired and wireless and apply the same exact authorization profiles.

Highlighted

So just to be clear, I will have to make separate Authorization policies for wired and wireless users?

Highlighted
VIP Rising star

Not necessarily, it depends on how you want to build up your policy set. Take a look at this basic example, and see how the policy set can be conditioned to accept wired or wireless dot1x traffic:

ISE_policy_example0000.jpg

 

Highlighted
Cisco Employee

Keep in mind that different network device types use different authorisation controls. For example, Catalyst switches support using downloadable ACLs (dACLs) while AireOS-based WLCs (5508, 5520, etc) leverage named Airespace ACLs. For this reason, we typically use different Policy Sets for Wired vs. Wireless and different Authorization Profiles for those sessions depending on the control that is being used.

Example:

AuthZ Proflle = 'AuthZ-Wired-Computer' with a DACL

AuthZ Profile = 'AuthZ-Wireless-Computer' with an Airespace ACL

Content for Community-Ad